Free alternative for OpenDNS, with minimal info on what's going on?
-
Hi there,
I am looking to add one more layer for security by securing DNS at our office for free, if possible.
I had a look on OpenDNS (free available only for Home), Quad9 (free for business, but no information on what's going on - reports/dashboard), Comodo Dome Shield (free one is limited for 300k dns queries).....
I'm looking for free, even if there's no control to add black list/policies, default policies are fine, but need little info/dashboard on what's going on through our Network.
Thanks!
-
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
-
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
-
@JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
Why coudln't you point Pi-Hole to your AD DNS, and then let AD's DNS point to Cloudflare or whoever?
-
@JaredBusch
I hear you, but it's just as much visibility as the opendns option that the OP was looking at if we are looking at an AD-based setup. -
@JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
In AD networks it's setup in reverse order. Clients get Pi-Hole as DNS server, and Pi-Hole points to AD DNS servers.
-
@openit said in Free alternative for OpenDNS, with minimal info on what's going on?:
Hi there,
I am looking to add one more layer for security by securing DNS at our office for free, if possible.
I had a look on OpenDNS (free available only for Home), Quad9 (free for business, but no information on what's going on - reports/dashboard), Comodo Dome Shield (free one is limited for 300k dns queries).....
I'm looking for free, even if there's no control to add black list/policies, default policies are fine, but need little info/dashboard on what's going on through our Network.
Thanks!
NXFilter is a good solution. It is not free but pretty inexpensive. It also supports AD and LDAP so you can be granular at the pc level or even the user level. -
@dafyre said in Free alternative for OpenDNS, with minimal info on what's going on?:
@JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
Why coudln't you point Pi-Hole to your AD DNS, and then let AD's DNS point to Cloudflare or whoever?
Pretty sure that that will work fine.
-
@scottalanmiller said in Free alternative for OpenDNS, with minimal info on what's going on?:
@dafyre said in Free alternative for OpenDNS, with minimal info on what's going on?:
@JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
Why coudln't you point Pi-Hole to your AD DNS, and then let AD's DNS point to Cloudflare or whoever?
Pretty sure that that will work fine.
Yes this can work. The problem is you are putting something in the middle of a normal ED process. Can it work yes. can It work and have no problems yes. But Can it also have problems if things are not configured correctly and carefully yes.
-
@JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
Wouldn't this section on Pi-Hole solve that problem?
-
@black3dynamite said in Free alternative for OpenDNS, with minimal info on what's going on?:
@JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
Wouldn't this section on Pi-Hole solve that problem?
It would.
Again. I am not saying it cannot work. I am saying you are putting something in the middle of the standard AD process. Putting anything in the middle of a defualt process carries risk factors.
-
@JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:
@notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit Pihole with the upstream DNS of your choice.
Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.
The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.
What if the Pi-hole points to AD for it's upstream DNS?
Crap - I should have read ONE more post before posting
-
No plans of Pi-Hole.
Considering to go with Quad9, since:
- It is free for business (unlike OpenDNS free version)
- No limit (unlike comodo free version)
- Have at least default blocking (unlike some other DNS service without blocking)
Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.
Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
@scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyre -
@openit said in Free alternative for OpenDNS, with minimal info on what's going on?:
No plans of Pi-Hole.
Considering to go with Quad9, since:
- It is free for business (unlike OpenDNS free version)
- No limit (unlike comodo free version)
- Have at least default blocking (unlike some other DNS service without blocking)
Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.
Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
@scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyreHow many dns servers do you have? As in, how many Dns exit points?
-
@openit said in Free alternative for OpenDNS, with minimal info on what's going on?:
No plans of Pi-Hole.
Why not?
Considering to go with Quad9, since:
- It is free for business (unlike OpenDNS free version)
- No limit (unlike comodo free version)
- Have at least default blocking (unlike some other DNS service without blocking)
Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.
Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
@scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyreCorrect, the client machines point to AD DNS so you get internal resources same as normal, and your AD DNS Server get their upstream from, in this case, quad 9.
You should also configure your firewalls to prevent DNS queries from anything other than you AD DNS servers to prevent users going around you.
Be aware though - Firefox (I think) is moving or has moved to DNS over HTTPS and will be going around you on it's own. I don't know if they have GPOs/settings to enforce the use of specified DNS servers instead yet or not.
-
@Obsolesce said in Free alternative for OpenDNS, with minimal info on what's going on?:
@openit said in Free alternative for OpenDNS, with minimal info on what's going on?:
No plans of Pi-Hole.
Considering to go with Quad9, since:
- It is free for business (unlike OpenDNS free version)
- No limit (unlike comodo free version)
- Have at least default blocking (unlike some other DNS service without blocking)
Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.
Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
@scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyreHow many dns servers do you have? As in, how many Dns exit points?
I'm curious to know how this is helpful to know?
