Block connection to IPs which are not in DNS cache

[CJ]

Is this possible in OPNSense?  With the advent of DoH I want to prevent all connections to IPs that have not been resolved by the local DNS cache.

I looked through the settings and I didn't see anything that would do this.

Thanks.

[AndrewBriggs]

https://writemyessay.onl

You need to go to the DNS Server settings, select Properties and on the Interfaces tab, explicitly select only those addresses to which you want to accept dns requests.

[CJ]

https://writemyessay.onl

You need to go to the DNS Server settings, select Properties and on the Interfaces tab, explicitly select only those addresses to which you want to accept dns requests.

That's not the problem I'm trying to solve.  I want everyone on the network to use my DNS server.

What I'm trying to prevent is DoH lookups or hard coded IPs.  Anything doing that on my network is up to something.

[Verda5]

Is this possible in OPNSense?  With the advent of DoH I want to prevent all connections to IPs that have not been resolved by the local DNS cache.

I looked through the settings and I didn't see anything that would do this.

Thanks.

To approve domains ex. example.com only approve the IPs of the DNS servers that have that domain. You can do this by going to "DNS Server Settings", selecting "Properties" on the "Interfaces Tab", and then explicitly allow only those DNS Servers which are hosting that domain to respond content requests.

[allebone]

This sounds like a problem for Zenarmor (sensei) to solve, not for opnsense. You should ask them if they can or have plans to do this.

[CJ]

This sounds like a problem for Zenarmor (sensei) to solve, not for opnsense. You should ask them if they can or have plans to do this.

Maybe.  It's on my list to check out but I haven't gotten to it yet.

My initial idea was for OPNSense to keep a list of resolved IPs from Unbound and only allow outbound access to those IPs via a firewall rule.