OpnSense per VLAN NextDNS setup

GregTheHun · February 05, 2025, 04:10:10 PM

Hi all,

I was curious, for those of you using NextDNS or something similar out there. I have a couple different profiles setup in NextDNS and was wondering how I can apply each of those profiles to different VLANs on my networks?

Any help would be much appreciated.

GregTheHun · February 06, 2025, 06:00:46 PM

Mainly, what I'd like to do is have VLAN have it's own set of DNS servers it goes to, should the local Unbound server not be able to resolve it. I have some local servers that have proper URLs that I'd like to be able to access, and I have their overrides in Unbound, but if that doesn't go to anything local, then go to NextDNS and get the URL. Depending on the VLAN traffic originates from.

Hope this all makes sense, and thanks again

GregTheHun · February 25, 2025, 05:23:59 PM

I mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.

patient0 · February 25, 2025, 07:35:11 PM

Quote from: GregTheHun on February 25, 2025, 05:23:59 PMI mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.

I do use both NextDNS and ControlD, ControlD at home and NextDNS on the root Server. And while evaluating both services I did install and use ControlD's DNS forward proxy (https://github.com/Control-D-Inc/ctrld) at home. Very flexible and worth to checkout.

You can define multiple listeners, networks, rule for the listeners and upstream services (and more that I probably forgot about). Never tried with multiple NextDNS profile but I don't see a reason why it wouldn't work. There's no GUI element to it in OPNsense, the config happens in a TOML file

In my config below some devices have their own ControlD or NextDNS profile (MAC based) and queries for local DNS get forwarded to the *sense (network.0 & upstream.0):

Code Select

[service]
    log_level = "info"
    log_path = ""
    cache_enable = true
    cache_size = 10240
    cache_ttl_override = 60
    cache_serve_stale = true

[listener]
  [listener.0]
    ip = '0.0.0.0'
    port = 53
    allow_wan_clients = true
    restricted = true

    [listener.0.policy]
      name = 'Policy @ Home'

      networks = [
          {'network.0' = ['upstream.0']}
      ]
      rules = [
        { '*.my.home.arpa' = ['upstream.5']}
      ]
      macs = [
       {"xx:xx:xx:xx:xx:xx" = ["upstream.2"]}, # Macbook Air M2 Wifi
       {"yy:yy:yy:yy:yy:yy" = ["upstream.1"]}  # Apple TV 4K Livingroom
      ]

[network]
  [network.0]
    name = 'Local LANs'
    cidrs = ['192.168.169.0/24', '10.11.0.0/16', '2aaa:bbbb:.../48']

[upstream]
  [upstream.0]
    name = 'ControlD - Firewall @ Home'
    type = 'doh'
    bootstrap_ip = '2606:...'
    endpoint = 'https://dns.controld.com/<a profile>'
    timeout = 5000

  [upstream.1]
    name = 'ControlD - Apple TV Living Room'
    type = 'doh'
    bootstrap_ip = '2606:...'
    endpoint = 'https://dns.controld.com/<another profile>'
    timeout = 5000

  [upstream.2]
    name = 'NextDNS - blockads Profile'
    type = 'doh'
    boostrap_ip = '2a07:...'
    endpoint = 'https://dns.nextdns.io/<profile>'
    timeout = 5000

  [upstream.3]
    name = 'Quad9'
    type = 'doh'
    bootstrap_ip = '2620:fe::fe'
    endpoint = 'https://dns.quad9.net/dns-query'
    timeout = 5000

  [upstream.4]
    name = 'DNS0.eu'
    type = 'doh'
    bootstrap_ip = '2a0f:fc80::'
    endpoint = 'https://dns0.eu'
    timeout = 5000

  [upstream.5]
    name = 'Local Unbound'
    type = 'legacy'
    endpoint = '127.0.0.1:10053'
    timeout = 5000

MagikMark · February 26, 2025, 10:05:01 PM

@GregTheHun

Had the same concern. The easiest way I was able to deal this is by installing "AdGuard Home" It does everything you would like to happen plus more

GregTheHun · April 01, 2025, 05:45:48 PM

Thanks everyone for the responses, but do you guys know anyway to do the same thing in OpnSense alone?

GregTheHun · April 04, 2025, 08:16:26 PM

Quote from: patient0 on February 25, 2025, 07:35:11 PM
Quote from: GregTheHun on February 25, 2025, 05:23:59 PMI mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.
I do use both NextDNS and ControlD, ControlD at home and NextDNS on the root Server. And while evaluating both services I did install and use ControlD's DNS forward proxy (https://github.com/Control-D-Inc/ctrld) at home. Very flexible and worth to checkout.

You can define multiple listeners, networks, rule for the listeners and upstream services (and more that I probably forgot about). Never tried with multiple NextDNS profile but I don't see a reason why it wouldn't work. There's no GUI element to it in OPNsense, the config happens in a TOML file

In my config below some devices have their own ControlD or NextDNS profile (MAC based) and queries for local DNS get forwarded to the *sense (network.0 & upstream.0):

Code Select Expand
[service] log_level = "info" log_path = "" cache_enable = true cache_size = 10240 cache_ttl_override = 60 cache_serve_stale = true [listener] [listener.0] ip = '0.0.0.0' port = 53 allow_wan_clients = true restricted = true [listener.0.policy] name = 'Policy @ Home' networks = [ {'network.0' = ['upstream.0']} ] rules = [ { '*.my.home.arpa' = ['upstream.5']} ] macs = [ {"xx:xx:xx:xx:xx:xx" = ["upstream.2"]}, # Macbook Air M2 Wifi {"yy:yy:yy:yy:yy:yy" = ["upstream.1"]} # Apple TV 4K Livingroom ] [network] [network.0] name = 'Local LANs' cidrs = ['192.168.169.0/24', '10.11.0.0/16', '2aaa:bbbb:.../48'] [upstream] [upstream.0] name = 'ControlD - Firewall @ Home' type = 'doh' bootstrap_ip = '2606:...' endpoint = 'https://dns.controld.com/<a profile>' timeout = 5000 [upstream.1] name = 'ControlD - Apple TV Living Room' type = 'doh' bootstrap_ip = '2606:...' endpoint = 'https://dns.controld.com/<another profile>' timeout = 5000 [upstream.2] name = 'NextDNS - blockads Profile' type = 'doh' boostrap_ip = '2a07:...' endpoint = 'https://dns.nextdns.io/<profile>' timeout = 5000 [upstream.3] name = 'Quad9' type = 'doh' bootstrap_ip = '2620:fe::fe' endpoint = 'https://dns.quad9.net/dns-query' timeout = 5000 [upstream.4] name = 'DNS0.eu' type = 'doh' bootstrap_ip = '2a0f:fc80::' endpoint = 'https://dns0.eu' timeout = 5000 [upstream.5] name = 'Local Unbound' type = 'legacy' endpoint = '127.0.0.1:10053' timeout = 5000

I would also be curious about this method, would you have to disable Unbound in order for this to work?

patient0 · April 04, 2025, 08:31:27 PM

Quote from: GregTheHun on April 04, 2025, 08:16:26 PMI would also be curious about this method, would you have to disable Unbound in order for this to work?

Not disabled but move to a different port (10053) and listening to 127.0.0.1 only since I didn't want it to answer DSN queries directly. 'upstream.5' is this local Unbound that get's contacted for queries to *.my.home.arpa.

ControlD's DNS forward proxy just does what's in the name, forward based on rules.
You could define the networks/VLAN in the config file and let each VLAN forward to a different DSN profile. I guess any DNS forward proxy would work, ctrld being the one I tested.

OpnSense per VLAN NextDNS setup

GregTheHun

February 05, 2025, 04:10:10 PM

GregTheHun

February 06, 2025, 06:00:46 PM #1

GregTheHun

February 25, 2025, 05:23:59 PM #2

patient0

February 25, 2025, 07:35:11 PM #3

MagikMark

February 26, 2025, 10:05:01 PM #4

GregTheHun

April 01, 2025, 05:45:48 PM #5

GregTheHun

April 04, 2025, 08:16:26 PM #6

patient0

April 04, 2025, 08:31:27 PM #7