DNS Forwarder / Resolver Query

[Heathy65]

I have a gap in my understanding in relation to DNS on OPNsense...

I'm using Dnsmasq with DNS Forwarder enabled.  As I understand it (because I have set the OPNsense DHCP DNS server to be my OPNsense IP address) this will mean that my clients using DHCP will use OPNsense to resolve and it in turn will use the addresses in System/Settings/General?

All the above is fine to me but what I'd like to understand if I have a static (non-DHCP) client and I set it to use some-other public DNS server will that be honoured or does OPNsense "catch" the UDP/53 request and rewrite it to use the forwarder?  Assuming this is not the case, how could I configure this?

Also, a separate question, when using DHCP if I set a different DNS server for a specific lease will that override the default configuration?

Thanks in advance.

[BertM]

Healthy65,

OPNsense does not catch UDP port 53 unless it is specifically targeted at the OPNsense address.
This means that computers in your lan will use whatever DNS server they are configured to use.

Now about DHCP.
Let's assume Dnsmasq DNS forwarder or Unbound DNS resolver is enabled and no DNS server addresses are configured in the DHCP service or Static ARP for specific clients.
In this case, the DHCP clients get the IP address of the OPNsense interface configured as DNS server, and any DNS queries will be handeled by Dnsmasq or Unbound.

The difference between Dnsmasq and Unbound is that Dnsmasq will forward all DNS queries to the upstream DNS servers (the ones that are configured at System ==> Settings ==> General), and not cache the result, while Unbound will also query the upstream DNS servers just like DNSmasq, but will also store the result in local cache for faster serving subsequent similar queries.

If any DNS servers are configured in the DHCP configuration, this will override the default and the DHCP clients will get the DNS servers configured as they are in the DHCP server config.

If any DNS servers are configured in any static ARP entries, this will override the default as well as the settings in DHCP server and the DHCP clients that are specified by the ARP entries will get the DNS servers configured as they are configured in the static ARP entries.

Kind regards,
Bert

[Heathy65]

Thanks BertM for the comprehensive reply.

The reason I asked this is I'm in the UK and am having issues with my SkyQ tv box since using OPNsense.  I've looked at a .cap trace and this box is performing DNS queries towards 90.207.238.97 to resolve drm.sky.com & connectivity.sky.com, the problem is 90.207.238.97 is not responding.  Having Googled it seems this is a DNS server for sky broadband (and I don't have that).

So I need to intercept the DNS query from my SkyQ box and point it at my OPNsense DNS server which is resolving those queries ok.

Even when I manually set the DNS server in the SkyQ box to be my OPNsense LAN IP I still see a DNS request towards 90.207.238.97

Any idea what firewall rule I'd need to achieve this?

[Heathy65]

Ah sussed it (with ref. to https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense)

NAT / Port Forward
Interface: LAN
Prot: TCP/UDP
Source: SkyQ (an alias)
Dest. Invert: Yes
Dest: LAN address
Dest Port: 53
Redirect Target IP: 127.0.0.1
Redirect Target Port: 53

And SkyQ is instantly working :-)

[Ciprian]

Ah sussed it (with ref. to https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense)

NAT / Port Forward
Interface: LAN
Prot: TCP/UDP
Source: SkyQ (an alias)
Dest. Invert: Yes
Dest: LAN address
Dest Port: 53
Redirect Target IP: 127.0.0.1
Redirect Target Port: 53

And SkyQ is instantly working :-)

Best way to config DNS so that all DNS queries from LAN to third-party public DNS servers to be redirected (catch, as you said) to OPNsense GW. Especially useful if you are using, e.g., OpenDNS for filtering web content, and you don't want LAN users to be able to circumvent your DNS filtering by setting local/ manual public DNS resolvers on their client's settings.

Cheers! :)

[franco]

Unbound will not use system dns servers unless forward mode is used. It's a full resolver talking to dns root servers. Key difference between dnsmasq and unbound.


Cheers,
Franco