Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Yet another DNS topic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Yet another DNS topic (Read 3092 times)
timthedevguy
Newbie
Posts: 2
Karma: 0
Yet another DNS topic
«
on:
March 14, 2022, 01:46:22 am »
Greetings,
I have spent hours researching how to do what I want and I found out how but I don't know why.
Network is pretty simple, Windows AD Domain with DHCP and DNS on redundant DCs. All Servers use the DCs for DNS, all clients use the DCs for DHCP which of course passes the DCs as DNS servers. I run a Pihole server on Docker and use it as my Forwarder.
I recently switched to OpnSense from Sohpos XG. In the XG I blocked all DNS traffic from any LAN address BUT the Pihole box. This ensured that Chrome was not able to bypass Pihole.
Every piece of information I've found says I need to enable Unbound DNS and add some weird This Firewall rules, but I don't understand WHY. Why can't I just put in the Allow DNS from PIHOLE rule first then the Deny DNS from * rule next. This does not work in OpnSense.
Any insight would be helpful, I apologize if this information was present someplace.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Yet another DNS topic
«
Reply #1 on:
March 14, 2022, 07:23:18 am »
Short answer is yes. I run internal DNS on AD and I don't use unbound.
Try floating rules to allow 53 TCP+UDP from Pi-hole followed by deny all 53 TCP+UDP on all relevant interfaces.
That only leaves DOH to worry about
Bart...
Logged
timthedevguy
Newbie
Posts: 2
Karma: 0
Re: Yet another DNS topic
«
Reply #2 on:
March 14, 2022, 10:58:33 am »
You are awesome Bart. I moved the rules that I would expect to work on [LAN] to Floating and everything runs as it should. Thanks so much!!!
Logged
emmitt
Newbie
Posts: 40
Karma: 0
Re: Yet another DNS topic
«
Reply #3 on:
March 17, 2022, 08:11:31 am »
Same problem here - could you share a screenshot or something like that? Thanks
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Yet another DNS topic