On 11/7/2017 8:46 AM, Stuart Henderson wrote:
On 2017-11-07, Scott Bennett <sbennett1...@gmail.com> wrote:
I want to be able to enforce that all queries get funneled to OpenDNS. I
don't want someone to be able to outsmart the filter, at least at this
one level. Redirection lets me configure the laptops to have their own
hard-coded configurations when out and about, and then when I come home
they transparently query the gateway with no changes. Blocking would
probably result in me trying to load a page when I get home, failing,
then remembering to change the DNS config.
If you redirect, you may then end up funneling requests which are meant
for an *authoritative* DNS server, towards a recursive resolver instead.
Can you just hardcode the laptops to OpenDNS's resolver addresses, and
just permit those through PF? Then, if wanted, you could redirect just
those addresses to your local unbound resolver, and block other port 53.
That could be a solution. In what situations would there be a request
for an authoritative DNS server? There's not much on my network (at the
moment) that does anything more than general internet browsing.
