pfSense and DNS

Discussion in 'Networking & Security' started by amrogers3, Feb 13, 2016.

  1. amrogers3

    amrogers3 Gawd

    Messages:
    570
    Joined:
    Nov 7, 2010
    So from my understanding pfSense has several ways to assign DNS servers.

    There is a "General Setup" tab where you can put in DNS, there is also the "DHCP Server" page where you can push DNS to clients.

    I don't want clients assigned DNS via DHCP, so how can I make clients use the DNS servers listed in "General Setup". I understand this is for the router and not used by the LAN so not sure how to make my clients use these DNS servers.

    I have openDNS servers listed in General Setup but my clients are completely bypassing the openDNS servers.

    [​IMG]
     
  2. Brian_B

    Brian_B 2[H]4U

    Messages:
    2,747
    Joined:
    Mar 23, 2012
    Hmm, why don't you just put the same DNS servers in the DHCP info? Not to be an ass, but it really sounds like you are saying "I want to tell my clients what DNS server to use, and there is this really easy way to do it via DHCP, but I don't want to do it that way for some reason" I think I'm just misunderstanding what you are asking for though.

    I don't know if you can prevent a client from using a specific DNS if they enter one in manually, short of blacklisting specific IPs, forcing all traffic to go through an internal proxy, or getting down into some packet sniffing.
     
  3. amrogers3

    amrogers3 Gawd

    Messages:
    570
    Joined:
    Nov 7, 2010
    No worries Brian, I get what you are saying. Thanks for the post.

    It's my limited knowledge of pfSense that is creating confusion. I have been googling and googling can can't figure out what purpose the dns servers on the general setup tab are for.

    It seems like they would be used for resolution but the clients are completely bypassing them.

    And yes pushing DNS to them from the DHCP server definitely works but I'm trying to lock down firewall so that clients can only communicate with gateway.
     
  4. Soldier101

    Soldier101 Gawd

    Messages:
    621
    Joined:
    Jan 8, 2002
    The General DNS is what the pfsense devices uses. The dhcp dns is what the clients behind it will use.
     
  5. amrogers3

    amrogers3 Gawd

    Messages:
    570
    Joined:
    Nov 7, 2010
    So like Brian was saying earlier, I have to push DNS out through the DHCP server settings in order for clients to use the openDNS servers?
     
  6. rma

    rma Limp Gawd

    Messages:
    192
    Joined:
    Mar 16, 2015
    Set the DHCP server to push out opendns for DNS and you should be good.
     
  7. amrogers3

    amrogers3 Gawd

    Messages:
    570
    Joined:
    Nov 7, 2010
    Got it working thank you all for the help. :D
     
  8. ltickett

    ltickett [H]ard|Gawd

    Messages:
    1,125
    Joined:
    Jul 27, 2000
    You might be able to set firewall rules to redirect all outbound traffic from the LAN on the DNS port to your preferred DNS server(s).
     
  9. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    I would set them through DHCP, but also create a firewall rule to block port 53 UDP and TCP to all other IPs but those ones. If someone tries to change it, it just wont work.
     
    Last edited: Feb 15, 2016
  10. squishy

    squishy [H]ard|Gawd

    Messages:
    1,207
    Joined:
    May 25, 2006
    UDP 53 is DNS (yes, TCP for zone transfers or large queries). 25 TCP is smtp.

    You can redirect outbound to or only allow DNS to your preferred.
     
  11. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Errr yeah not sure why I said 25, was having a brain fart there. I meant to say 53.
     
  12. +Eric

    +Eric Limp Gawd

    Messages:
    128
    Joined:
    Jul 4, 2012
    I don't think anyone really answered your question, and it might be a bit unclear what you want to do. But I'll explain some things as I think you're just not sure of how DNS resolving works in pfSense.

    You can set OpenDNS to as the DNS servers in General Setup, that's fine. You'll want to make certain "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked under General Setup too or whatever your ISP assigns as DNS will be overridden.

    After this, you have two options. If you have at least 2.2.2 (and probably this is true in 2.2.1) you can use Unbound DNS server on pfSense. This is what I'd recommend. Unbound is awesome. You'll find it in DNS Resolver. If you want to use that, check out DNS Forwarder and make sure "Enable DNS forwarder" is unchecked. If you want to use DNS Forwarder, check that and make certain "Enable DNS Resolver" under Services > DNS Resolver is unchecked.

    So as far as Unbound set up goes, we need to do a few things really quick. Services > DNS Resolver. Enable it. Set Network interfaces to LAN and Localhost and Opt1 if you have it and it's LAN side. Or any other interfaces that are *inside* (LAN side) of your network. No WAN interfaces should be check here. Use CRTL to select multiples. Outgoing should remain "all".

    I don't think OPENDNS supports DNSSEC, leave unchecked probably. DNS Query Forwarding needs to be checked. This means that instead of using DNS root servers, it'll use DNS servers you've defined in General Setup. That's it, save and apply, make sure everything is right after the reload on that page.

    Then in DHCP Server, you're going set your DNS Servers there to whatever IP your pfSense box is. Maybe 192.168.1.1 or whatever. You'll only need that one IP in. Save and Apply. You'll need to do this for any LAN side Interfaces,

    So to directly answer one of your questions in post 3, the DNS servers listed in General Setup are for pfSense use. If you use Unbound (DNS Resolver) or DNS Forwarder it'll then use those servers. Unless you have reason to do otherwise, I'd recommend setting up like I've outlined using DNS Resolver, it's really good.

    After you've setup DHCP Server to assign pfSense IP as DNS Server for your network reload the NIC on a client machine or just reboot. Once you've done that you'll see that for DNS Server that client is assigned your pfSense IP.

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]
     
    reCAPTCHA and techobrien like this.