pfSense Support Subscription

Author Topic: Different DNS host overrides based on IP addr or interface of client?  (Read 487 times)

0 Members and 1 Guest are viewing this topic.

Offline tzalmaves

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Hello all,

      I'm wondering if there's a way to do conditional host overrides with DNS Resolver.  For example:

      Client #1 at 192.168.20.100 pings foo.com, gets 204.65.44.1
      Client #2 at 192.168.20.101 pings foo.com, gets 204.65.44.2

      If it can't be done by IP address, can it be conditional based on which interface is querying?  If this can't be done with DNS resolver, is there another way to accomplish this?

      -TM

Offline kpa

  • Hero Member
  • *****
  • Posts: 1188
  • Karma: +132/-6
    • View Profile
Re: Different DNS host overrides based on IP addr or interface of client?
« Reply #1 on: March 06, 2017, 03:43:08 pm »
Not possible with Unbound or dnsmasq. You would need the BIND package and use the views feature to match a specific client IP or a set of IPs.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14484
  • Karma: +1343/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Different DNS host overrides based on IP addr or interface of client?
« Reply #2 on: March 06, 2017, 04:01:12 pm »
Since the update to unbound 1.6 there are views now...

Doesn't look any support for them in the gui as of yet that I see.. But you can for sure do it in the optional box.

So

in the option box I created a view called testview

Code: [Select]
server:
access-control-view: 192.168.9.100/32 testview
view:
name: "testview"
local-zone: "local.lan" static
local-data: "test.local.lan. 90 IN A 10.10.10.10"

So you can see when I bounce the query off my internal dns that forwards to pfsense, so the query will actually come from 192.168.3.10 vs my box on 192.168.9.100..  I get what I put in as a host override for test.local.lan.  When I do the query to unbound from the access-control-view list I created called "testview" I get the entries I put in there.  My normal local domain is local.lan - and this is the host override I created for the test.local.lan

You can create the control view to either be a single IP with /32 or any cidr to include the IPs you want.  You then just need to create the entries under that view name..  See the above for example


Code: [Select]
> dig test.local.lan

; <<>> DiG 9.11.0-P3 <<>> test.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28904
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.local.lan.                        IN      A

;; ANSWER SECTION:
test.local.lan.         3600    IN      A       192.168.100.100

;; Query time: 7 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Mon Mar 06 15:55:55 Central Standard Time 2017
;; MSG SIZE  rcvd: 59

> dig @192.168.9.253 test.local.lan

; <<>> DiG 9.11.0-P3 <<>> @192.168.9.253 test.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16525
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.local.lan.                        IN      A

;; ANSWER SECTION:
test.local.lan.         90      IN      A       10.10.10.10

;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Mon Mar 06 15:56:14 Central Standard Time 2017
;; MSG SIZE  rcvd: 59
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline lexxai

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-1
    • View Profile
    • We have what we have. Everything that happens - for the better. [lexxai]
Re: Different DNS host overrides based on IP addr or interface of client?
« Reply #3 on: November 21, 2017, 05:39:57 pm »
Thanks, it work.
only need remember about "server:" in first line of custom options.
I post my screenshot of GUI https://lexxai.blogspot.com/2017/11/pfsense-dns-views.html