To clarify - The general recommendation is to keep guest traffic isolated from internal resources, i.e use the internal DHCP servers on the network infrastructure, such as the WLAN controllers as typically that is where the capture portal is anyway, and have them use an ISP or Public DNS (i.e. My last sentence in that post was specific to pftdm007's environment, although it should have started with "Your" and not "You" :-) What I thought I wrote was ONLY referring to Guest network recommendation. I'm not against Google as a company (how could Your for clarifying in case others also thought I recommended Enterprise customers forward to Google from their internal DNS. I do like their search engine a lot - it works for me They had their reasons, but these do not exist any more).īut if someone can tell me ones and for all what the benefits are, I'll adopt "8.8.8.8" myself, promised.ītw : don't get me wrong : I'm using gmail (just perfect for automated notification systems). (I really guess because our society fabricated a lot of people that are trained to "have to enter a DNS" because our ISP's trained us to do so in the past. Maybe in the States other rules or reasons exist, I can't tell.įor me, "8.8.8.8" is at maximum a soHO thing. Corporate clients networks forwarding to Google ?Īt least in Europe, that's not a recommendation thing, one could get fired for that. You LAN clients uses unbound (with forwarding to Google)Įuh. Right said in Bypassing DNSBL for specific IPs: That way, guest bypass corporate DNS and just get public. The same kind of recommendation used in Enterprise networks for Wireless Guest. I just want to avoid having to configure each client manually (most of the clients on DMZ are mobile devices that I will see only said in Bypassing DNSBL for specific IPs: Since rules are processed top-down, I'd expect the DNS requests on DMZ clients to match the last rule? I must be missing something! If I suppress (deactivate) the second rule (block to this FW), same problem occurs.ĮDIT: In order to keep the setup as straight FW as possible, and since I do not need local host resolution, I have no issue completely bypassing Unbound and using pfsense's DNS servers directly. > Block any traffic from DMZ subnet to "This firewall" > Block any traffic from DMZ subnet to LAN subnet AFAIK, when empty it will use the general DNS servers under System > General Setup which are 1.1.1.1 & 1.0.0.1 for me. The DNS servers fields under DHCP server settings for DMZ are all empty.There are no NAT or port forward applied to DMZ (as far as I know).I have unselected DMZ interface from Unbound's Network Interfaces.If you use one of there other two DNS services (1.1.1.2 or 1.1.1.3) you can also have them filter DNS requests for you based on their own reputation have followed your recommended steps, but for some reasons, clients on my DMZ are not resolving (example Chrome says "DNS_PROBE_FINISHED_BAD_CONFIG") That and for my own reasons (Keeps Comcast from tracking and hijacking my DNS) I use Cloudfare's DNS via DNS_over_HTTPS, which means unbound forwards all my DNS requests encrypted to Cloudfare. IPv4 if I decide to move stuff around :-) My certificates use hostnames as IP addresses can change, mainly my IPv6 as the prefix is allocated by Comcast dynamically. It doesn't matter if unbound is listening on the DMZ interface or not, if nothing gets sent to the interface ip address on UDP 53, it won't reply.Īlso, by still using my local unbound to resolve, I still get local host resolution, as not all my "internal" hostnames have records in my domains public Nameservers (DNS), hence my "views" configuration has include: /var/unbound/host_nfįor both dnsbl and bypass views. you allow all traffic from your DMZ outbound (or at least are not blocking DNS on UDP 53), then you can keep it really simple.įor DHCP hosts, just add a public DNS server(s) in the DHCP server settings for the DMZ.įor static IP Hosts, (or DHCP if you want to do it on each host) just configure a DNS server manually on each host. You want to bypass all pfBlocker's functionality on your DMZ subnet and you are not whitelisting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |