DNS Concern
-
Hi i am using DNS with unbound, i am able to block site's with web filtering, well the problem is i want user's that wont use the DNS of OPENDNS maybe using other DNS like googleDNS, i tried changing user DNS to Google but no internet.. any suggestion how to seperate Google DNS to OpenDNS
-
huh??? If you don't want users using anything other than pfsense for dns then block 53 tcp/udp other than pfsense IP
-
Just blocking them? Aw, that's no fun. We can be sneakier than that. ;D
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
-
And how would you bitch if your isp redirected your traffic? If you don't want a user doing something then sure block it.. But redirecting their traffic to somewhere else is not how you would want your traffic treated, so why would you do it to someone else?
If what your looking to do is get some appliance of yours that is hard coded to use a dns you do not want it to do and its your appliance then sure.. But just redirecting all dns traffic to your dns when its not your traffic is not good practice if you ask me..
-
If they're already taking the step to strangle the network by blocking sites they think are "bad" then they don't have any incentive to treat DNS any better.
It's either redirect so that people with broken or intentionally mis-set DNS still get connectivity with the desired filtering, or drop their DNS traffic so they get nothing.
If someone is actively attempting to circumvent protections put in place by the network admins, they don't have any right to whinge about being redirected.
Someone could still look up the DNS by other means and hardcode it, of course. Or use a VPN connected by IP address.
-
"drop their DNS traffic so they get nothing."
there you go that is what I say you do… When the user says this doesn't work - then you tell them well if you want dns then you have to use the dns provided or tuff..
Which is why I recommend block it, If you own the firewall its clearly your network - if you don't want people using other dns then that is your right as the owner of the network.. But I think redirection is underhanded..
My isp blocks outbound on 25.. Fair enough its BLOCKED, and I can understand their reasoning with all the idiot users there are out there, etc. But I would be pretty ticked off if every time I tried to connect to 25 I got redirect to their mail server..
Just my take on the matter.
-
I agree to a point – but it depends on the network. If it's an open access network you are paying for, block it. If it's a private business/school network and someone is violating a policy, redirect it.
From a support perspective, redirecting would lessen a potential burden on support personnel.
-
In a network that your providing support for the users, say a company - users shouldn't have control of the company hardware they are using to change it from what is handed out anyway. So I don't see any extra support calls happening there.
If the user is a power user, say a network engineer and they are calling support because dns is blocked then they prob are in the wrong job ;)
If its a byob type network, and they don't want to use what is provided via dhcp or instructions and something doesn't work and they want to open a support ticket.. It doesn't take long to deny the opening of the ticket based upon the issue if you ask me..
The only time I think redirection makes sense is when your trying to get something to work like an appliance that is hard coded to use say googledns because the maker of the device doesn't think things through on what type of network their device might be used on, and say ignores what you hand via dhcp, etc. And either your network policy prevents that, or your trying to circumvent say a regional block based upon where the dns query came from which is the typical case with home users.
Owners of said network are free to do whatever they want with their network, I just personally think redirection of someone else traffic an underhanded way of doing it.. Either block it or allow it - redirection is manipulation of my traffic, and not a fan of that at all..
-
Unbound or bust.
I have outbound filters that end up blocking DNS requests to some naughty authoritative DNS servers that ISP and other public available DNS would happily resolve.
