I am running pfSense with BIND installed. On that machine, for a subnet of devices, I want the requests to go to OpenDNS and add my own records that would take precedence over OpenDNS. For the rest of the devices, I want to use Cloudflare's DNS (while keeping DHCP DNS entries / own records). I do not have to use BIND, but it seems like Unbound does not support it.

Important: I will not set the DNS servers individually per device! It must be automatic based on the subnet the devices are in.

So far: I have two ACLs (one for the LAN subnet, and another for the VPN subnet) and a view corresponding to each one of them. I have two zones (local.lan and vpn.lan) which have the domain names of each device on the subnets. I have an additional zone that handles forwarding for the VPN subnet view.

TL;DR: I want to have some devices use OpenDNS and some devices use Cloudflare based on IP address / subnet. I want to have the functionality of adding own entries (eg get google.com to point to localhost).

  if the subs are on different PFSense interfaces, I believe you can set up a different DHCP server instance on each, with a different pool and different settings for DNS. docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html then point the devices to your bind zones, and implement forwarding to the OpenDNS or Cloudflare DNS depending. you will likely need to have multiple bind instances though, since non-zone based forwarding is global in nature.
  I can, but that does not allow me to add my own DNS entries on top of both OpenDNS and Cloudflare.
    – E.T.
    Commented Jul 22, 2020 at 22:34
  you said you had bind zones, so it sounds like you already have bind forwarding established. the issue here is that you will need a second instance of bind for each, since forwarding is global unless its a forward on a specific zone.
  I am forwarding by zone. My question is how to add additional hosts that take precedence over the forwarding.
    – E.T.
    Commented Jul 22, 2020 at 22:58
  forwarding works by attempting to resolve the query against the servers zones, and if it is not resolved, it sends the request upstream to another server. Forwarding by zone means that only queries for domains in that zone will activate the forwarding behavior, so unless you are hosting a zone for *.google.com, queries for mail.google.com would never activate your forwarding rule. a global rule in named.conf.options however could redirect all unresolved traffic to a upstream server. that means that you can resolve a domain locally and take precedence that way.

Alright, thanks to Frank Thomas in the comments, I was able to figure it out. In the end, I used RPZ with ACL + Views to get it done. I followed these links to figure it out: https://www.isc.org/docs/BIND_RPZ.pdf, https://www.isc.org/rpz/, and https://www.linuxbabe.com/redhat/response-policy-zone-rpz-bind-centos.

Here is what my configuration ended up like:

I created two ACLs: One for my VPN subnet and one for my LAN subnet.

acl "LAN" {; };
acl "VPN" {; };

The last number in the subnet has to be 0 (depending on your netmask, more depth of zeros will be needed) otherwise BIND throws a fit.

Then, I created two views: one for VPN and one for LAN.

view "VPN" { 
    recursion yes;
    match-clients { VPN; };
    allow-recursion { VPN; };
    response-policy {
        zone "rpz.vpn.lan";
    forwarders {;;

    zone "vpn.lan" {
        type master;
        file "/etc/namedb/master/VPN/vpn.lan.DB";
        allow-query { any; };
        allow-transfer { none; };
        allow-update { localhost; localnets; };

    zone "rpz.vpn.lan" {
        type master;
        file "/etc/namedb/master/VPN/rpz.vpn.lan.DB";
        allow-query { localhost; localnets; };
        allow-transfer { localhost; localnets; };
        allow-update { localhost; localnets; };

    zone "." {
        type hint;
        file "/etc/namedb/named.root";

view "LAN" { 
    recursion yes;
    match-clients { LAN; };
    allow-recursion { any; };

    zone "local.lan" {
        type master;
        file "/etc/namedb/master/LAN/local.lan.DB";
        allow-query { any; };
        allow-transfer { none; };
        allow-update { localhost; localnets; };

    zone "." {
        type hint;
        file "/etc/namedb/named.root";


And to finalize the RPZ, I created the zone rpz.vpn.lan:

$ORIGIN rpz.vpn.lan.

;   Database file rpz.vpn.lan.DB for rpz.vpn.lan zone.
;   Do not edit this file!!!
;   Zone version 2595524218
rpz.vpn.lan.     IN  SOA pfsense.vpn.lan.    zonemaster.rpz.vpn.lan. (
        2595524218 ; serial
        1d ; refresh
        2h ; retry
        4w ; expire
        1h ; default_ttl

; Zone Records
@    IN NS  pfsense.vpn.lan.
@    IN A
pfsense.vpn.lan      IN A
redis.io     IN CNAME   .

I used redis.io as a test to check if it worked.

Also added DHCP zones:

For the VPN subnet:

$TTL 7200
$ORIGIN vpn.lan.

;   Database file vpn.lan.DB for vpn.lan zone.
;   Do not edit this file!!!
;   Zone version 2595447119
vpn.lan.     IN  SOA pfsense.vpn.lan.    zonemaster.vpn.lan. (
        2595447119 ; serial
        1d ; refresh
        2h ; retry
        4w ; expire
        1h ; default_ttl

; Zone Records
@    IN NS  pfsense.vpn.lan.
@    IN A
pfsense      IN A

And for the LAN:

$TTL 7200
$ORIGIN local.lan.

;   Database file local.lan.DB for local.lan zone.
;   Do not edit this file!!!
;   Zone version 2595445239
local.lan.   IN  SOA pfsense.local.lan.      zonemaster.local.lan. (
        2595445239 ; serial
        1d ; refresh
        2h ; retry
        4w ; expire
        1h ; default_ttl

; Zone Records
@    IN NS  pfsense.local.lan.
@    IN A
pfsense      IN A

(Note that some ACLs and files are not shown for brevity)

