I'm reading two articles regarding how to configure for internal DNS only: the first on Zenarmor website (https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers) and the second one from the Home Network Guy here (https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/)
There are a couple of differences:
1) for the allow ineternal DNS rule, in the first case the source address is any and in the second example is XXXnet
2) for the blocking external DNS rule, in the first case the source address is any and in the second example is XXXnet
Anyone who could explain to me the logic behind?
Tia.
My first thought:
Second example (home network guy) sets this up for dmz (xxxnet) Interface and is just using the dmznet as source. However, setting up this should do that all clients use internal DNS and all clients will come from their specific interface / net (a Client on DMZ interface will always come from DMZ). I think it doesnt matter whether you use xxxnet or any.
But remember that this "force local DNS" Rules will not work for DoT and DoH (and DoQ).