ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Free alternative for OpenDNS, with minimal info on what's going on?

    Scheduled Pinned Locked Moved IT Discussion
    16 Posts 10 Posters 628 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • notverypunnyN
      notverypunny @openit
      last edited by

      @openit Pihole with the upstream DNS of your choice.

      https://pi-hole.net/

      Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

      JaredBuschJ 1 Reply Last reply Reply Quote 1
      • JaredBuschJ
        JaredBusch @notverypunny
        last edited by

        @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

        @openit Pihole with the upstream DNS of your choice.

        https://pi-hole.net/

        Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

        The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

        dafyreD notverypunnyN M black3dynamiteB DashrenderD 5 Replies Last reply Reply Quote 0
        • dafyreD
          dafyre @JaredBusch
          last edited by

          @JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:

          @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

          @openit Pihole with the upstream DNS of your choice.

          https://pi-hole.net/

          Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

          The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

          Why coudln't you point Pi-Hole to your AD DNS, and then let AD's DNS point to Cloudflare or whoever?

          scottalanmillerS 1 Reply Last reply Reply Quote 4
          • notverypunnyN
            notverypunny @JaredBusch
            last edited by

            @JaredBusch
            I hear you, but it's just as much visibility as the opendns option that the OP was looking at if we are looking at an AD-based setup.

            1 Reply Last reply Reply Quote 0
            • M
              marcinozga @JaredBusch
              last edited by

              @JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:

              @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

              @openit Pihole with the upstream DNS of your choice.

              https://pi-hole.net/

              Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

              The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

              In AD networks it's setup in reverse order. Clients get Pi-Hole as DNS server, and Pi-Hole points to AD DNS servers.

              1 Reply Last reply Reply Quote 0
              • syko24S
                syko24
                last edited by

                @openit said in Free alternative for OpenDNS, with minimal info on what's going on?:

                Hi there,

                I am looking to add one more layer for security by securing DNS at our office for free, if possible.

                I had a look on OpenDNS (free available only for Home), Quad9 (free for business, but no information on what's going on - reports/dashboard), Comodo Dome Shield (free one is limited for 300k dns queries).....

                I'm looking for free, even if there's no control to add black list/policies, default policies are fine, but need little info/dashboard on what's going on through our Network.

                Thanks!
                NXFilter is a good solution. It is not free but pretty inexpensive. It also supports AD and LDAP so you can be granular at the pc level or even the user level.

                Nxfilter.org

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @dafyre
                  last edited by

                  @dafyre said in Free alternative for OpenDNS, with minimal info on what's going on?:

                  @JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:

                  @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

                  @openit Pihole with the upstream DNS of your choice.

                  https://pi-hole.net/

                  Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

                  The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

                  Why coudln't you point Pi-Hole to your AD DNS, and then let AD's DNS point to Cloudflare or whoever?

                  Pretty sure that that will work fine.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @scottalanmiller
                    last edited by

                    @scottalanmiller said in Free alternative for OpenDNS, with minimal info on what's going on?:

                    @dafyre said in Free alternative for OpenDNS, with minimal info on what's going on?:

                    @JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:

                    @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

                    @openit Pihole with the upstream DNS of your choice.

                    https://pi-hole.net/

                    Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

                    The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

                    Why coudln't you point Pi-Hole to your AD DNS, and then let AD's DNS point to Cloudflare or whoever?

                    Pretty sure that that will work fine.

                    Yes this can work. The problem is you are putting something in the middle of a normal ED process. Can it work yes. can It work and have no problems yes. But Can it also have problems if things are not configured correctly and carefully yes.

                    1 Reply Last reply Reply Quote 1
                    • black3dynamiteB
                      black3dynamite @JaredBusch
                      last edited by

                      @JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:

                      @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

                      @openit Pihole with the upstream DNS of your choice.

                      https://pi-hole.net/

                      Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

                      The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

                      Wouldn't this section on Pi-Hole solve that problem?
                      dce7a751-d565-4c74-9269-35774cb1f6d0-image.png

                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @black3dynamite
                        last edited by

                        @black3dynamite said in Free alternative for OpenDNS, with minimal info on what's going on?:

                        @JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:

                        @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

                        @openit Pihole with the upstream DNS of your choice.

                        https://pi-hole.net/

                        Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

                        The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

                        Wouldn't this section on Pi-Hole solve that problem?
                        dce7a751-d565-4c74-9269-35774cb1f6d0-image.png

                        It would.

                        Again. I am not saying it cannot work. I am saying you are putting something in the middle of the standard AD process. Putting anything in the middle of a defualt process carries risk factors.

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @JaredBusch
                          last edited by Dashrender

                          @JaredBusch said in Free alternative for OpenDNS, with minimal info on what's going on?:

                          @notverypunny said in Free alternative for OpenDNS, with minimal info on what's going on?:

                          @openit Pihole with the upstream DNS of your choice.

                          https://pi-hole.net/

                          Keep in mind that you'll have to either block all dns at the firewall (except the pi-hole) or force all queries to redirect to the pi-hole if you want absolute visibility and control. If you're OK with the possibility of queries bypassing your DNS then this part doesn't need to be dealt with.

                          The issue with Pi-Hole or any other DNS solution for most shops is that they are AD based. This means that DNS has to point to the AD server. The AD server can then point to Pi-Hole, and this works well. But it breaks his visibility requirement as everything appears to come from the AD server.

                          What if the Pi-hole points to AD for it's upstream DNS?

                          Crap - I should have read ONE more post before posting 😛

                          1 Reply Last reply Reply Quote 0
                          • openitO
                            openit
                            last edited by

                            No plans of Pi-Hole.

                            Considering to go with Quad9, since:

                            1. It is free for business (unlike OpenDNS free version)
                            2. No limit (unlike comodo free version)
                            3. Have at least default blocking (unlike some other DNS service without blocking)

                            Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.

                            Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
                            @scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyre

                            ObsolesceO DashrenderD 2 Replies Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @openit
                              last edited by

                              @openit said in Free alternative for OpenDNS, with minimal info on what's going on?:

                              No plans of Pi-Hole.

                              Considering to go with Quad9, since:

                              1. It is free for business (unlike OpenDNS free version)
                              2. No limit (unlike comodo free version)
                              3. Have at least default blocking (unlike some other DNS service without blocking)

                              Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.

                              Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
                              @scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyre

                              How many dns servers do you have? As in, how many Dns exit points?

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @openit
                                last edited by

                                @openit said in Free alternative for OpenDNS, with minimal info on what's going on?:

                                No plans of Pi-Hole.

                                Why not?

                                Considering to go with Quad9, since:

                                1. It is free for business (unlike OpenDNS free version)
                                2. No limit (unlike comodo free version)
                                3. Have at least default blocking (unlike some other DNS service without blocking)

                                Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.

                                Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
                                @scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyre

                                Correct, the client machines point to AD DNS so you get internal resources same as normal, and your AD DNS Server get their upstream from, in this case, quad 9.

                                You should also configure your firewalls to prevent DNS queries from anything other than you AD DNS servers to prevent users going around you.

                                Be aware though - Firefox (I think) is moving or has moved to DNS over HTTPS and will be going around you on it's own. I don't know if they have GPOs/settings to enforce the use of specified DNS servers instead yet or not.

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @Obsolesce
                                  last edited by

                                  @Obsolesce said in Free alternative for OpenDNS, with minimal info on what's going on?:

                                  @openit said in Free alternative for OpenDNS, with minimal info on what's going on?:

                                  No plans of Pi-Hole.

                                  Considering to go with Quad9, since:

                                  1. It is free for business (unlike OpenDNS free version)
                                  2. No limit (unlike comodo free version)
                                  3. Have at least default blocking (unlike some other DNS service without blocking)

                                  Only downside is, no visibility of what's on and cannot add our rules/policies, fine for free. Adding one layer for free, if budget allows in future, can go with OpenDNS with good control.

                                  Only thing I wonder is, everywhere I just see configuring Windows/Linux to use Quad9 as DNS, but, how about using office network wide? Do I just need to tell my DNS Server (Windows server) to forward DNS Queries to Quad9 DNS IP (9.9.9.9) ? instead of forwarding the DNS Queries to current ISP?
                                  @scottalanmiller @JaredBusch @Dashrender @black3dynamite @syko24 @marcinozga @dafyre

                                  How many dns servers do you have? As in, how many Dns exit points?

                                  I'm curious to know how this is helpful to know?

                                  1 Reply Last reply Reply Quote 0
                                  • 1 / 1
                                  • First post
                                    Last post