> > Because OpenDNS does their filtering based on the source IP address, you > would have to have eat LAN have its own outgoing IP(s) using Outbound NAT > rules. > > I've never actually done outbound NAT. So lets say I've got multiple IP addresses bound as virtual IP's onto the physical WAN interface. I can create an outbound NAT rule that depending on the source subnet scope I can have the individual traffic appear to come out a particular virtual IP? Is that correct? But if I'm using AD integrated DNS, would I just remove all root-hints and forwarders? So then anything AD DNS could not resolve would got to OpenDNS? But would the request still come from the client or from the internal AD DNS?
I'm thinking I would have to setup DHCP to hand out three or four DNS servers then. My two internal DNS servers, and then the two OpenDNS servers at the bottom. Is anyone doing this, and what is timeout like? I.E. How long does it take for the internal DNS servers to respond that they can't find the internet resource, and for OpenDNS to respond in the tertiary and quaternary DNS slots. Doesn't this create a ton of DNS traffic traversing the firewall? Or am I missing something simple here?
