On Sun, Apr 18, 2010 at 2:06 PM, Tim Dressel <[email protected]> wrote:
> Because OpenDNS does their filtering based on the source IP address, you >> would have to have eat LAN have its own outgoing IP(s) using Outbound NAT >> rules. >> >> > I've never actually done outbound NAT. So lets say I've got multiple IP > addresses bound as virtual IP's onto the physical WAN interface. I can > create an outbound NAT rule that depending on the source subnet scope I can > have the individual traffic appear to come out a particular virtual IP? Is > that correct? > Yes. > But if I'm using AD integrated DNS, would I just remove all root-hints and > forwarders? So then anything AD DNS could not resolve would got to OpenDNS? > You would set AD-DNS to use forwarders 208.67.222.222 and 208.67.220.220 and you would set your computers to use your server as their DNS server. Anything that your server cannot resolve would be passed to OpenDNS. *Scratch that. See below.* But would the request still come from the client or from the internal AD > DNS? > Do you mean "Would OpenDNS see it as coming from the client or from the server?" That's a good point and now that I think about it, I'm not sure. What you are saying below about using four DNS servers would probably work instead of using forwarders in AD-DNS. In that case, yes you would remove the forwarders and root hints. > I'm thinking I would have to setup DHCP to hand out three or four DNS > servers then. My two internal DNS servers, and then the two OpenDNS servers > at the bottom. Is anyone doing this, and what is timeout like? I.E. How long > does it take for the internal DNS servers to respond that they can't find > the internet resource, and for OpenDNS to respond in the tertiary > and quaternary DNS slots. > I have never tested the timing for this method but since each computer should be caching DNS results, it probably won't be such a big deal. Best thing to do is to try it. Doesn't this create a ton of DNS traffic traversing the firewall? > Why does it create any more DNS traffic than doing it any other way? Or am I missing something simple here? > There's nothing simple here. ;) When I set up my pfSense with OpenDNS, 3 LANs, and 2 WANs, there was a lot of trial and error and I had the luxury of a testing network completely separate from my office network so I couldn't actually break anything. I tried a lot of things and I don't remember all of the things I tried.
