Single wan gateway but DNS filtering per LANs ( or IPs ) like in 2 gateway ?
-
Hi,
I try to do a filtering using DNS filter & pfblockerNG DNSBL ( no more SquidGuard ).
- OpenDNS will do filtering for parental control.
- GoogleDNS will skip parental control.
- pfblocker DNSBL will do filtering for Adverts, Tracking… for all DNS request.
I have one WAN gateway and 4 LAN's.
I want that some LANs ( or IPs ) to use OpenDNS servers and others LANs ( or IPs ) to use GoogleDNS or similar servers.
Something like having 2 wan gateways with different DNS servers so I can force traffic from a LAN or IP to use DNS from specific gateway, but I don't think is possible to do something like a "virtual gateway" to achieve this setup.I can't use DNS overwrite in DHCP server or static ARP other than LAN IP interface as DNS; because if DNS is not handled by pfsense it will escape from pfbDNSBL filtering... this is the problem I am facing now, clients that use GoogleDNS escape from pfbDNSBL filter.
Clients from LANs will have get DNS server only from pfsense ( LAN IP interface ) and all attempt to use another DNS server will be redirected to DNS servers assigned to that interface. ( this part is well described in pfsense DNS redirect tutorials ).
any idea if this can be done and how ?
thank you
-
I do this by setting up DNS forwarder to listen just on Localhost port 8053.
I set the forwarder to use OpenDNS as its servers.
I then place a port forward on the controlled LAN (OPT2) that redirects all traffic for OPT2 address TCP/UDP 53 to 127.0.0.1 8053.
Naturally, you have to block all TCP/UDP/53 other than to OPT2 address.
Everyone else just uses DNS Resolver normally.
Don't use pfblockerng so this might not help you at all.
-
Hi,
thank you for answer,
I can try this with your help but please let me know where I can set the DNS servers to be used by forwarder because I can't see it yet.
Thank you
![2015-11-15 01.34.07.jpg](/public/imported_attachments/1/2015-11-15 01.34.07.jpg)
![2015-11-15 01.34.07.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.07.jpg_thumb)
![2015-11-15 01.34.14.jpg](/public/imported_attachments/1/2015-11-15 01.34.14.jpg)
![2015-11-15 01.34.14.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.14.jpg_thumb)
![2015-11-15 01.36.47.jpg](/public/imported_attachments/1/2015-11-15 01.36.47.jpg)
![2015-11-15 01.36.47.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.36.47.jpg_thumb) -
Sorry. I have this in the Advanced section:
no-resolv
strict-order
server=208.67.222.222
server=208.67.220.220 -
Thank you very much for your help.
I set Forwarder according to your indications and this config with Forwarder using one DNS server and Resolver another DNS servers it is working ok for multi DNS - content filtering.
I will stick with this configuration because it is easy to maintain and can be apply also to DNS per IP not only to LAN, using redirecting in NAT - Port Porward based on IP Source address.Unfortunately with this setup Forwarder still escape from pfbDNSBL filter.
-
Now I understand why pfBlockerNG can't work with Forwarder to filter DNS.
pfBlockerNG is using Unbound which have function Dnsspoof to do DNS filtering.
https://calomel.org/unbound_dns.html