OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: timthedevguy on March 14, 2022, 01:46:22 am
-
Greetings,
I have spent hours researching how to do what I want and I found out how but I don't know why.
Network is pretty simple, Windows AD Domain with DHCP and DNS on redundant DCs. All Servers use the DCs for DNS, all clients use the DCs for DHCP which of course passes the DCs as DNS servers. I run a Pihole server on Docker and use it as my Forwarder.
I recently switched to OpnSense from Sohpos XG. In the XG I blocked all DNS traffic from any LAN address BUT the Pihole box. This ensured that Chrome was not able to bypass Pihole.
Every piece of information I've found says I need to enable Unbound DNS and add some weird This Firewall rules, but I don't understand WHY. Why can't I just put in the Allow DNS from PIHOLE rule first then the Deny DNS from * rule next. This does not work in OpnSense.
Any insight would be helpful, I apologize if this information was present someplace.
-
Short answer is yes. I run internal DNS on AD and I don't use unbound.
Try floating rules to allow 53 TCP+UDP from Pi-hole followed by deny all 53 TCP+UDP on all relevant interfaces.
That only leaves DOH to worry about ;)
Bart...
-
You are awesome Bart. I moved the rules that I would expect to work on [LAN] to Floating and everything runs as it should. Thanks so much!!!
-
Same problem here - could you share a screenshot or something like that? Thanks