Setting Client Specific DNS Resolvers and hardening Question

Started by ngr2001, December 29, 2024, 05:48:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 29, 2024, 05:48:50 PM
In effort easily block inappropriate sites I would like to leverage cloudfare's DNS 1.1.1.3. My OPNsense firewall is currently configured at a global level for DNS/TSL (DOT) via 1.1.1.1 and its ipv6 counterpart, that setup is working just fine, I don't wish to block all devices. So, via DHCP I cant set a reservation for my children's MAC Address and in DHCP I can override the DNS value and set it to 1.1.1.3 (Family DNS). This effectively accomplishes the goal but its a weak solution that can be easily bypassed.

1. Is there anyway to achieve the same goal above but without having to leverage the DHCP reservation trick. One draw back I have found is that it forces the client to only use IPV4, ISC DHCP does not seem to allow IPV6 values in the config. In addition it also breaks DNS over TLS as it reverts back to simple DNS mode. I guess what I would like is some way in Unbound DNS to apply a rule that says these MAC addresses should leverage this (DNS over TLS) config, and all other clients use the global values, I am not seeing any way to do that today, perhaps I am wrong ?

2. If the above request is not possible what are some firewall rules you all would recommend to better harden this approach. Its on the tip of my tongue but I cant place it, I am looking for a rule that could prevent the (child / protected) pc from leveraging any other DNS server. For example if the protected pc had its local network settings modified and the DNS forced to 8.8.8.8, I would not want to allow that traffic to pass, again just not sure on the proper order of rules and types I would need to achieve that while also allowing all other clients to work normally.

Thanks.
December 29, 2024, 08:20:46 PM #1
Im also running into an issue where if the client has IPv6 all DNS filtering fails. I don't see any way to exclude certain clients from getting an IPV6 address ?

I also had an idea where instead of using DHCP to set a dns value, I would leave it to my defaults and create a port forward NAT rule to catch any DNS requests from protected clients and redirect them to 1.1.1.3 for dns traffic. However my experiment with that failed and the clients can still get to undesired sites. Not sure what I am doing wrong here.
Print
Go Up Pages1
User actions