On 2017-11-07, Scott Bennett <sbennett1...@gmail.com> wrote:
> On 11/6/2017 9:29 PM, trondd wrote:
>> On Mon, November 6, 2017 8:50 pm, Scott Bennett wrote:
>>> pass quick proto { tcp, udp } to port $udp_ports
>>
>> Because you're telling pf to pass all taffic on port domain to anywhere.
>> Quick rules stop evaluation and you never hit the rdr-to rules below.
>>
>
> Oh, duh. I thought it had to be something minor that I wasn't seeing.
>
>>
>>> # Redirect DNS Queries
>>> pass in on $wifi proto { udp, tcp } from any to any port domain \
>>> rdr-to $wifi_ip port domain label "dns-redirect"
>>> pass in on $wired proto { udp, tcp } from any to any port domain \
>>> rdr-to $wired_ip port domain label "dns-redirect"
>>>
>>
>> What is on your LAN that isn't using your DHCP settings for DNS? Why
>> redirect instead of just blocking DNS from the LAN to all but unbound?
>>
>
> I want to be able to enforce that all queries get funneled to OpenDNS. I
> don't want someone to be able to outsmart the filter, at least at this
> one level. Redirection lets me configure the laptops to have their own
> hard-coded configurations when out and about, and then when I come home
> they transparently query the gateway with no changes. Blocking would
> probably result in me trying to load a page when I get home, failing,
> then remembering to change the DNS config.
>
>
If you redirect, you may then end up funneling requests which are meant
for an *authoritative* DNS server, towards a recursive resolver instead.
Can you just hardcode the laptops to OpenDNS's resolver addresses, and
just permit those through PF? Then, if wanted, you could redirect just
those addresses to your local unbound resolver, and block other port 53.
