Hi all,
Wanted to see if anyone had any great opinions on this. I am replacing my legacy FW with a new machine to support 10Gb (w00t fiber!)
In the previous machine I use NAT rules to send all DNS traffic back to the FW itself. I have a /24 that I created a FW alias of a number of IPs that I called "trusted." All other IPs in the DHCP range and are "untrusted." The "untrusted" IPs go to a port that runs BIND with safe-search and a few other blackholes enabled. The "trusted" IPs go right to 53 where unbound is running and tunneling DoT to supported, external servers.
All of this was a little complicated, but ended up working great. Any new machine the kids pop up automatically is safe and I add static-mapped IPs for any devices that need unfettered Internet access. I mainly did this because of the limitations of BIND and Unbound at the time. I know there are a lot of new changes, but I never updated the old configuration.
What I want is to have some devices pushed through safe searches and other filters for a bit longer and others with unfettered access. Any thoughts on new ways to do this? What are you using?
Thanks so much.
When my kids were younger, I used OpenDNS. It's still free even after being gobbled up by Cisco: https://www.opendns.com/home-internet-security/
DHCP reservations, one or more (per kid ?) docker containers with either AdGuardHome or Pi-Hole, dedicated VLAN for their devices to make sure they can't get out with a random MAC - a few things to ponder depending on their age, interests, trustworthiness when it comes to homework on an internet facing device, circle of friends...
I'm running adguard into unbound all in opnsense.
https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626
In adguard:
setup safesearch and dns blocklists (public lists). I apply that to everyone on my LAN, then allow certain mac's access above and beyond.
In unbound:
I have a few combinations of cleanbrowsing.org lists in the dns over tls options.