HOWTO - Redirect all DNS Requests to Opnsense

[Cypher100]

This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Go to Services -> Unbound DNS -> General


Verify that ether ALL is selected or localhost with your LAN is selected.

or


Go to Firewall -> NAT -> Port Forward


Click the add new rule button


Set the following settings below.

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: LAN address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable

Note: If you have multiple networks, you would have to make a rule for each network. Make sure unbound is listening on the other network interfaces too.

Example for Wireless network:
Interface: Wireless
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: Wireless address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable



Here is my setup as a example after adding all the rules.


Now that the port forward rules have been created. We now have to adjust the rules under the firewall to make sure the DNS redirect is hit first.

Go to Firewall -> Rules -> LAN


Move the DNS redirect rule above "Default allow LAN to any rule" rule


Then apply changes, and the final result should look like this.


Notes: If you have multiple interfaces, you would have to move the rule for each interface.

[guest18611]

Hello cypher100,

Thank you very much, exactly what I was looking for! 

Just one question, how can I see that it is working correctly?
Because when I use 8.8.8.8 as manual DNS server everything works (as expected) but I want to see that it is really working in the Logs or somewhere else.

Thank you!

[Cypher100]

Hello cypher100,

Thank you very much, exactly what I was looking for! 

Just one question, how can I see that it is working correctly?
Because when I use 8.8.8.8 as manual DNS server everything works (as expected) but I want to see that it is really working in the Logs or somewhere else.

Thank you!

I added yahoo.com pointing to 127.0.0.1 as a host override. Then on my windows computer I use the command "nslookup yahoo.com 8.8.8.8" to see if it resolves to 127.0.0.1. Using nslookup should bypass any DNS cache on your local computer, but if it doesn't I ran ipconfig /flushdns before running the nslookup command.

[jmp20]

Thank you, this process worked well for me. I guess advanced options had a lot to do with it and no other posted mentioned such important part of the setup : /
Best!!

[chris42]

How would this work on ipv6? I tried to mimic the NAT rules for ipv6, however then the DNS queries fail completely

[Wired Life]

I try to redirect to a dns server inside the lan with this rule

But it doesnt work
please help

[P-Kalk]

Thank you, tested whit nslookup and works great.

[GDixon]

  from chris42

How would this work on ipv6? I tried to mimic the NAT rules for ipv6, however then the DNS queries fail completely

Excellent question what would be the destination for IPv6 or what is the equivalent to 127.0.0.1 for IPv6?

would it be ::1 for the loopback like 127.0.0.1 is for IPv4 loopback?

[Ciprian]

Also, pay attention to non-standard DNS ports used by public DNS servers, ports like 5353, 9953 and alike... And for DNS-over-TLS the standard port is 853.

A really tech savvy user will bypass your forced DNS redirection anyway!

[p1n0ck10]

  from chris42

How would this work on ipv6? I tried to mimic the NAT rules for ipv6, however then the DNS queries fail completely

Excellent question what would be the destination for IPv6 or what is the equivalent to 127.0.0.1 for IPv6?

would it be ::1 for the loopback like 127.0.0.1 is for IPv4 loopback?

Normally ::1 is the IPv6-localhost-Address. I must configure the IPv6-Address of the Interface (created an Alias) instead of ::1 in the NAT Rule and then it works. The clients resolves DNS-Records even if using his own IPv6-DNS-Servers.

I tested this with my Android Phone. This has the App DNSChanger installed
https://play.google.com/store/apps/details?id=com.frostnerd.dnschanger
with this App you can use other DNS-Server. With the IPv6 DNS NAT Rule you can farther resolve your own DNS-Records in the Override Tab from Unbound DNS. Normally when using a external DNS-Server you can't resolve internal DNS-Records.

[dave]

Normally ::1 is the IPv6-localhost-Address. I must configure the IPv6-Address of the Interface (created an Alias) instead of ::1 in the NAT Rule and then it works. The clients resolves DNS-Records even if using his own IPv6-DNS-Servers.

Hey p1n0ck10, could you go in to a little more detail regarding this?

NAT redirects now use floating rules when the rule's running across multiply interfaces.

You saying I'm going to have to create individual rules & aliases for each interfaces ipv6 address?

Currently I've got a floating ipv6 NAT rule redirecting to ::1, and it's clearly not working.

[ChrisChros]

This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Hi Cypher,
will this procedure also work for an DNS-Server, e.g. Pi-Hole, within my environment when I fill in the IP of Pi-Hole instead of 127.0.0.1 to the NAT rules?

Regards Chris

[mayo]

This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Hi Cypher,
will this procedure also work for an DNS-Server, e.g. Pi-Hole, within my environment when I fill in the IP of Pi-Hole instead of 127.0.0.1 to the NAT rules?

Regards Chris

Have the same question.

[vpn]

Hi, so not sure I am doing this right but trying to re-direct all DNS queries to OPNsense as even thought I have my SmartTV set to this (GW of .1), it still ends up going to google (8.8.8.. All other devices on the network are fine and use their default GW for DNS.

Here is how I have the NAT port forwarding setup.

[ChrisChros]

This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Hi Cypher,
will this procedure also work for an DNS-Server, e.g. Pi-Hole, within my environment when I fill in the IP of Pi-Hole instead of 127.0.0.1 to the NAT rules?

Regards Chris

Have the same question.

I have now set my Pi-Hole IP instead of 127.0.0.1 to the NAT rules and it looks like its working