On 2017-11-07, Scott Bennett <[email protected]> wrote: > On 11/7/2017 8:46 AM, Stuart Henderson wrote: >> On 2017-11-07, Scott Bennett <[email protected]> wrote: >>> >>> I want to be able to enforce that all queries get funneled to OpenDNS. I >>> don't want someone to be able to outsmart the filter, at least at this >>> one level. Redirection lets me configure the laptops to have their own >>> hard-coded configurations when out and about, and then when I come home >>> they transparently query the gateway with no changes. Blocking would >>> probably result in me trying to load a page when I get home, failing, >>> then remembering to change the DNS config. >> >> If you redirect, you may then end up funneling requests which are meant >> for an *authoritative* DNS server, towards a recursive resolver instead. >> >> Can you just hardcode the laptops to OpenDNS's resolver addresses, and >> just permit those through PF? Then, if wanted, you could redirect just >> those addresses to your local unbound resolver, and block other port 53. > > That could be a solution. In what situations would there be a request > for an authoritative DNS server? There's not much on my network (at the > moment) that does anything more than general internet browsing.
Anything doing lookups directly, including tools like dig/nslookup, or machines running their own DNS resolver. With this change I'd be worried about forgetting that it's in place and then later getting very confused when trying to debug a DNS issue with some domain using the usual tools. At least if the queries are outright blocked, it's more obvious.
