Super User Asked by Sam Bernstein on December 1, 2021
I am running pfSense with BIND installed. On that machine, for a subnet of devices, I want the requests to go to OpenDNS and add my own records that would take precedence over OpenDNS. For the rest of the devices, I want to use Cloudflare’s DNS (while keeping DHCP DNS entries / own records). I do not have to use BIND, but it seems like Unbound does not support it.
Important: I will not set the DNS servers individually per device! It must be automatic based on the subnet the devices are in.
So far: I have two ACLs (one for the LAN subnet, and another for the VPN subnet) and a view corresponding to each one of them. I have two zones (local.lan and vpn.lan) which have the domain names of each device on the subnets. I have an additional zone that handles forwarding for the VPN subnet view.
TL;DR: I want to have some devices use OpenDNS and some devices use Cloudflare based on IP address / subnet. I want to have the functionality of adding own entries (eg get google.com to point to localhost).
Alright, thanks to Frank Thomas in the comments, I was able to figure it out. In the end, I used RPZ with ACL + Views to get it done. I followed these links to figure it out: https://www.isc.org/docs/BIND_RPZ.pdf, https://www.isc.org/rpz/, and https://www.linuxbabe.com/redhat/response-policy-zone-rpz-bind-centos.
Here is what my configuration ended up like:
I created two ACLs: One for my VPN subnet and one for my LAN subnet.
acl "LAN" { 192.168.1.0/24; };
acl "VPN" { 10.0.8.0/24; };
The last number in the subnet has to be 0
(depending on your netmask, more depth of zeros will be needed) otherwise BIND throws a fit.
Then, I created two views: one for VPN and one for LAN.
view "VPN" {
recursion yes;
match-clients { VPN; };
allow-recursion { VPN; };
response-policy {
zone "rpz.vpn.lan";
};
forwarders {
208.67.220.123;
208.67.222.123;
};
zone "vpn.lan" {
type master;
file "/etc/namedb/master/VPN/vpn.lan.DB";
allow-query { any; };
allow-transfer { none; };
allow-update { localhost; localnets; };
};
zone "rpz.vpn.lan" {
type master;
file "/etc/namedb/master/VPN/rpz.vpn.lan.DB";
allow-query { localhost; localnets; };
allow-transfer { localhost; localnets; };
allow-update { localhost; localnets; };
};
zone "." {
type hint;
file "/etc/namedb/named.root";
};
};
view "LAN" {
recursion yes;
match-clients { LAN; };
allow-recursion { any; };
zone "local.lan" {
type master;
file "/etc/namedb/master/LAN/local.lan.DB";
allow-query { any; };
allow-transfer { none; };
allow-update { localhost; localnets; };
};
zone "." {
type hint;
file "/etc/namedb/named.root";
};
};
And to finalize the RPZ, I created the zone rpz.vpn.lan
:
;
$ORIGIN rpz.vpn.lan.
; Database file rpz.vpn.lan.DB for rpz.vpn.lan zone.
; Do not edit this file!!!
; Zone version 2595524218
;
rpz.vpn.lan. IN SOA pfsense.vpn.lan. zonemaster.rpz.vpn.lan. (
2595524218 ; serial
1d ; refresh
2h ; retry
4w ; expire
1h ; default_ttl
)
;
; Zone Records
;
@ IN NS pfsense.vpn.lan.
@ IN A 10.0.8.1
pfsense.vpn.lan IN A 10.0.8.1
redis.io IN CNAME .
I used redis.io as a test to check if it worked.
Also added DHCP zones:
For the VPN subnet:
$TTL 7200
;
$ORIGIN vpn.lan.
; Database file vpn.lan.DB for vpn.lan zone.
; Do not edit this file!!!
; Zone version 2595447119
;
vpn.lan. IN SOA pfsense.vpn.lan. zonemaster.vpn.lan. (
2595447119 ; serial
1d ; refresh
2h ; retry
4w ; expire
1h ; default_ttl
)
;
; Zone Records
;
@ IN NS pfsense.vpn.lan.
@ IN A 10.0.8.1
pfsense IN A 10.0.8.1
And for the LAN:
$TTL 7200
;
$ORIGIN local.lan.
; Database file local.lan.DB for local.lan zone.
; Do not edit this file!!!
; Zone version 2595445239
;
local.lan. IN SOA pfsense.local.lan. zonemaster.local.lan. (
2595445239 ; serial
1d ; refresh
2h ; retry
4w ; expire
1h ; default_ttl
)
;
; Zone Records
;
@ IN NS pfsense.local.lan.
@ IN A 192.168.1.1
pfsense IN A 192.168.1.1
(Note that some ACLs and files are not shown for brevity)
Answered by Sam Bernstein on December 1, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP