OpnSense per VLAN NextDNS setup

[GregTheHun]

Hi all,

I was curious, for those of you using NextDNS or something similar out there. I have a couple different profiles setup in NextDNS and was wondering how I can apply each of those profiles to different VLANs on my networks?

Any help would be much appreciated.

[GregTheHun]

Mainly, what I'd like to do is have VLAN have it's own set of DNS servers it goes to, should the local Unbound server not be able to resolve it. I have some local servers that have proper URLs that I'd like to be able to access, and I have their overrides in Unbound, but if that doesn't go to anything local, then go to NextDNS and get the URL. Depending on the VLAN traffic originates from.

Hope this all makes sense, and thanks again

[GregTheHun]

I mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.

[patient0]

I mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.

I do use both NextDNS and ControlD, ControlD at home and NextDNS on the root Server. And while evaluating both services I did install and use ControlD's DNS forward proxy (https://github.com/Control-D-Inc/ctrld) at home. Very flexible and worth to checkout.

You can define multiple listeners, networks, rule for the listeners and upstream services (and more that I probably forgot about). Never tried with multiple NextDNS profile but I don't see a reason why it wouldn't work. There's no GUI element to it in OPNsense, the config happens in a TOML file

In my config below some devices have their own ControlD or NextDNS profile (MAC based) and queries for local DNS get forwarded to the *sense (network.0 & upstream.0):

Code Select Expand

[service]
    log_level = "info"
    log_path = ""
    cache_enable = true
    cache_size = 10240
    cache_ttl_override = 60
    cache_serve_stale = true

[listener]
  [listener.0]
    ip = '0.0.0.0'
    port = 53
    allow_wan_clients = true
    restricted = true

    [listener.0.policy]
      name = 'Policy @ Home'

      networks = [
          {'network.0' = ['upstream.0']}
      ]
      rules = [
        { '*.my.home.arpa' = ['upstream.5']}
      ]
      macs = [
       {"xx:xx:xx:xx:xx:xx" = ["upstream.2"]}, # Macbook Air M2 Wifi
       {"yy:yy:yy:yy:yy:yy" = ["upstream.1"]}  # Apple TV 4K Livingroom
      ]

[network]
  [network.0]
    name = 'Local LANs'
    cidrs = ['192.168.169.0/24', '10.11.0.0/16', '2aaa:bbbb:.../48']

[upstream]
  [upstream.0]
    name = 'ControlD - Firewall @ Home'
    type = 'doh'
    bootstrap_ip = '2606:...'
    endpoint = 'https://dns.controld.com/<a profile>'
    timeout = 5000

  [upstream.1]
    name = 'ControlD - Apple TV Living Room'
    type = 'doh'
    bootstrap_ip = '2606:...'
    endpoint = 'https://dns.controld.com/<another profile>'
    timeout = 5000

  [upstream.2]
    name = 'NextDNS - blockads Profile'
    type = 'doh'
    boostrap_ip = '2a07:...'
    endpoint = 'https://dns.nextdns.io/<profile>'
    timeout = 5000

  [upstream.3]
    name = 'Quad9'
    type = 'doh'
    bootstrap_ip = '2620:fe::fe'
    endpoint = 'https://dns.quad9.net/dns-query'
    timeout = 5000

  [upstream.4]
    name = 'DNS0.eu'
    type = 'doh'
    bootstrap_ip = '2a0f:fc80::'
    endpoint = 'https://dns0.eu'
    timeout = 5000

  [upstream.5]
    name = 'Local Unbound'
    type = 'legacy'
    endpoint = '127.0.0.1:10053'
    timeout = 5000


[MagikMark]

@GregTheHun

Had the same concern.  The easiest way I was able to deal this is by installing "AdGuard Home"  It does everything you would like to happen plus more