Configuration in /etc/pf.conf
dns_servers = "{ 208.67.222.222 208.67.220.220 }"
pass in quick on $inside_if proto udp from <allowed> to any port 53 rdr-to $dns_servers round-robin
You might also want to add sticky-address to keep asking to one dns server [1] (not my case)
The result when analyzing on the internal interface
# tcpdump -ni rtw0 'port 53 and host ( 8.8.8.8 )'
17:44:46.295443 192.168.127.36.37796 > 8.8.8.8.53: 22244+ A? toneji.to. (31)
17:44:46.384365 8.8.8.8.53 > 192.168.127.36.37796: 22244 1/0/0 A 67.215.65.132 (47)
The result when analyzing on the external interface
# tcpdump -ni xl0 'port 53 and host ( 208.67.220.220 or 208.67.222.222 )'
17:44:46.295561 10.0.2.2.59847 > 208.67.220.220.53: 22244+ A? toneji.to. (31)
17:44:46.384302 208.67.220.220.53 > 10.0.2.2.59847: 22244 1/0/0 A 67.215.65.132 (47) (DF)
This means that *any* DNS request will be forwarded to our trusted DNS servers (Thanks OpenDNS)
References:
[1] http://www.openbsd.org/faq/pf/pools.html
--
= ^ . ^ =
No comments:
Post a Comment