Single wan gateway but DNS filtering per LANs ( or IPs ) like in 2 gateway ?

n3by

Hi,

I try to do a filtering using DNS filter & pfblockerNG DNSBL ( no more SquidGuard ).

OpenDNS will do filtering for parental control.
GoogleDNS will skip parental control.
pfblocker DNSBL will do filtering for Adverts, Tracking… for all DNS request.

I have one WAN gateway and 4 LAN's.

I want that some LANs ( or IPs ) to use OpenDNS servers and others LANs ( or IPs ) to use GoogleDNS or similar servers.
Something like having 2 wan gateways with different DNS servers so I can force traffic from a LAN or IP to use DNS from specific gateway, but I don't think is possible to do something like a "virtual gateway" to achieve this setup.

I can't use DNS overwrite in DHCP server or static ARP other than LAN IP interface as DNS; because if DNS is not handled by pfsense it will escape from pfbDNSBL filtering... this is the problem I am facing now, clients that use GoogleDNS escape from pfbDNSBL filter.

Clients from LANs will have get DNS server only from pfsense ( LAN IP interface ) and all attempt to use another DNS server will be redirected to DNS servers assigned to that interface. ( this part is well described in pfsense DNS redirect tutorials ).

any idea if this can be done and how ?

thank you

Derelict

I do this by setting up DNS forwarder to listen just on Localhost port 8053.

I set the forwarder to use OpenDNS as its servers.

I then place a port forward on the controlled LAN (OPT2) that redirects all traffic for OPT2 address TCP/UDP 53 to 127.0.0.1 8053.

Naturally, you have to block all TCP/UDP/53 other than to OPT2 address.

Everyone else just uses DNS Resolver normally.

Don't use pfblockerng so this might not help you at all.

n3by

Hi,

thank you for answer,

I can try this with your help but please let me know where I can set the DNS servers to be used by forwarder because I can't see it yet.

Thank you

![2015-11-15 01.34.07.jpg](/public/imported_attachments/1/2015-11-15 01.34.07.jpg)
![2015-11-15 01.34.07.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.07.jpg_thumb)
![2015-11-15 01.34.14.jpg](/public/imported_attachments/1/2015-11-15 01.34.14.jpg)
![2015-11-15 01.34.14.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.14.jpg_thumb)
![2015-11-15 01.36.47.jpg](/public/imported_attachments/1/2015-11-15 01.36.47.jpg)
![2015-11-15 01.36.47.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.36.47.jpg_thumb)

Derelict

Sorry. I have this in the Advanced section:

no-resolv
strict-order
server=208.67.222.222
server=208.67.220.220

n3by

Thank you very much for your help.

I set Forwarder according to your indications and this config with Forwarder using one DNS server and Resolver another DNS servers it is working ok for multi DNS - content filtering.
I will stick with this configuration because it is easy to maintain and can be apply also to DNS per IP not only to LAN, using redirecting in NAT - Port Porward based on IP Source address.

Unfortunately with this setup Forwarder still escape from pfbDNSBL filter.

n3by

Now I understand why pfBlockerNG can't work with Forwarder to filter DNS.

pfBlockerNG is using Unbound which have function Dnsspoof to do DNS filtering.

https://calomel.org/unbound_dns.html