Stop foreign DNS - Have OpenDNS and PIA work together?

[tl5k5]

I came from TomatoUSB on a router were there was a way to stop any "foreign" DNS entries from a client from getting past the router.  I'd like to figure out a way to do this same thing on OPNsense.

Then...I'd like to know if there's a way to configure OpenDNS to work in conjunction with PIA's VPN service.  I currently have OpenDNS working just fine, but I'd like to add a PIA VPN config so that my OpenDNS rules still work.

I need as much help as I can get on this one!

Thanks!

[bartjsmit]

Yes, you can block internal DNS clients from sending external queries. Simply configure OPNsense to be a resolver and add a firewall rule that denies TCP/UDP 53 from your internal networks to the internet. Alternatively, you can add an allow rule above that which whitelists OpenDNS by IP address.

PIA supports a number of tunnel protocols which are also supported on OPNsense. For your sanity's sake, you may want to stick with OpenVPN.

All this and more is discussed in the documentation https://docs.opnsense.org/

Bart...

[tl5k5]

Thanks...I'll give it a try!

[Ciprian]

For enforcing OpenDNS do this:

https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

It is from pfsense documentation, but matches perfectly with OPNsense (tested personally by myself). It is a better solution, because if somebody behind your OPNsense tries to use other manually established DNS IP addresses (disables DHCP (at least) for DNS), then s/he's DNS request to any other public DNS will be silently and instantly redirected to OPNsense (forwarder/ resolver) and from there to OpenDNS.

So there will be no way for a user to circumvent your network's DNS resolution enforced to OpenDNS, while the users will not get "page not found" error messages in browsers while they try to use alternative public DNS servers.