VMware is bypassing openDNS servers
-
I am getting strange behavior and can't seem to figure out why. I have set openDNS servers in the pfSense configuration and I see the OS on VMware is reaching out to the default gateway 10.0.1.1 via wireshark. However, somehow DNS queries are bypassing openDNS servers; some block pages can be browsed to via vmware. These same pages are blocked if I am browsing to them from my laptop.
VMware is in bridged mode.
I tried ipconfig /renew and ipconfig /flushdns neither of those had an effect.
I have DHCP set up as follows:
Also, DNS firewall configuration does work as instructed by this post: https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
 -
pfsense out of the box currently uses unbound in resolver mode - it doesn't forward anywhere… So setting pfsense to use some dns server has nothing to do with what unbound would be doing.
As to your dhcp setting pointing your clients to opendns - are they getting that?? Did you renew the lease once you made the change... Are your clients actually using pfsense dhcp?
-
Hello JohnP,
I have DNS Resolver forwarded to all interfaces. So it appears I tried to assign openDNS two ways. First through DNS forwarded via the DNS servers assigned through "General Setup" and then through DHCP Server assigning DNS to all clients. However, openDNS does not work in General Setup because they are not forwarded. Please correct me if I am wrong here.
I think I may be halfway there. I just verified that the clients are being assigned openDNS through the "DHCP Server" settings.
However, I don't want this. I would like the clients to first go to the gateway for DNS resolution. But like you said if I remove the openDNS servers from "DHCP Server" settings the DNS servers listed in the General Setup will not be forwarded to my clients.
So, how can I make all clients query the gateway and then utilize the openDNS servers without having them assigned by the DHCP server? I believe I will have to use DNS Forwarder. However, will this break my VPN setup?
(disregard question about firewall in previous post) I understand why that does not work.
-
"I have DNS Resolver forwarded to all interfaces"
What does that even freaking mean?? Its gibberish..
If you want to use the forwarder then use the forwarder vs resolver, what does that have to do with breaking vpn?? If you want your clients to query pfsense be it running forwarder or resolver than do so..
-
I am confused on how to make my clients query Resolver. If the DNS servers in General Setup are not used by LAN then I am not sure how to make clients query those servers.
Here is what I mean about Resolver and interfaces: (forwarded was not the right word)
 -
So resolver does not forward, it resolves.. Why would it go out all your interfaces to get to the authoritative servers? Outgoing should only be your interface(s) that have internet access. You should only listen on interfaces your going to get queries on.. localhost and lan, opt1 most likely.
If you want pfsense to just forward, then use the forwarder or enabled forwarder mode in unbound (resolver).. Make sure you uncheck to override from your isp..
-
The problem is that I do have it set up like you recommended and the openDNS servers are not being used. Is there anyway for my LAN clients to use openDNS without pushing the openDNS server to them from DHCP?
 -
yes use the forwarder and forward to them.. Then you clients being set to ask pfsense, pfsense just forwards the queries to where you forward…
Set pfsense in general to use the opendns
turn off the resolver, enable the forwarder.. validate that your clients are pointing pfsense for dns
Then just go to https://www.opendns.com/welcome/ to validate your using opendns, or just do a simple dig or nslookup for which.opendns.com txt and you will get back which opendns your using.. So you see I get back 3.chi
So I put mine back to using the resolver, because its a better overall solution and I know for a fact I am getting dnssec, etc. As you can see from 2nd attached pic, I now fail those using opendns tests
-
Thanks JohnP, everything is working and I am good to go. ;D
