Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Vexz on September 14, 2022, 09:23:21 AM

Title: Force use OPNsense DNS server for every device
Post by: Vexz on September 14, 2022, 09:23:21 AM
I installed AdGuard Home on my OPNsense and now I want to force every device in my LAN to use it for DNS queries. One of my devices uses Google's DNS server ( 8.8.8.8 ) probably because it's hard coded somewhere. The DNS server in DHCP settings is set correctly.
I've been trying around to create a port forward NAT rule that forces every packet with destination port 53 to go to my AdGuard Home but it just won't work no matter what I try. When I (for example) set Cloudflare's DNS servers in my IP configuration on my Windows machine it always skips AdGuard Home.

So how do I have to configure this NAT rule to make it work for IPv4 and IPv6?
Title: Re: Force use OPNsense DNS server for every device
Post by: tiermutter on September 14, 2022, 10:00:39 AM
That is because not every DNS request uses port 53... There is also DoT and DoH. Maybe this will explain it: https://forum.opnsense.org/index.php?topic=30066.msg145197#msg145197
Title: Re: Force use OPNsense DNS server for every device
Post by: Vexz on September 14, 2022, 10:03:02 AM
Quote from: tiermutter on September 14, 2022, 10:00:39 AM
That is because not every DNS request uses port 53... There is also DoT and DoH. Maybe this will explain it: https://forum.opnsense.org/index.php?topic=30066.msg145295#msg145295
Yes, I know that. But I specifically saw an entry in the live view destined to 8.8.8.8 with port 53. So I want every packet with destination port 53 to be destined to AGH on my OPNsense.
Title: Re: Force use OPNsense DNS server for every device
Post by: tiermutter on September 14, 2022, 10:19:08 AM
So how does your config looks like? NAT and FW rule...
Title: Re: Force use OPNsense DNS server for every device
Post by: Vexz on September 14, 2022, 10:41:38 AM
My OPNsense has 8 NICs.
Code Select
igb0: WAN
igb1 - igb7: LAN (bridge called "Switch")

NAT (Port Forward)
Code Select
Interface: Switch (info see above)
Proto: TCP/UDP
Source Address: *
Source Ports: *
Destination Address: !RFC1918
Destination Port: 53
NAT IP: OPNsense (Alias with the OPNsense's IPv4 + IPv6 of "Switch" bridge)
NAT Ports: 53

Firewall Rule for Switch (automatically generated)
Code Select
Protocol: IPv4+IPv6 TCP/UDP
Source IP: *
Source Port: *
Destination: OPNsense (Alias explained above)
Destination Port: 53
Title: Re: Force use OPNsense DNS server for every device
Post by: tiermutter on September 14, 2022, 10:59:52 AM
RFC1918 is an alias? What does it contain? Try out setting "!This Firewall"
Title: Re: Force use OPNsense DNS server for every device
Post by: Vexz on September 14, 2022, 11:07:16 AM
Quote from: tiermutter on September 14, 2022, 10:59:52 AM
RFC1918 is an alias? What does it contain? Try out setting "!This Firewall"
Yes. I thought it's self-explanatory.

Alias "RFC1918":
Code Select
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
100.64.0.0/10
127.0.0.0/8

I already tried "!This Firewall" but got the same result. :(
Title: Re: Force use OPNsense DNS server for every device
Post by: tiermutter on September 14, 2022, 11:16:27 AM
Quote from: Vexz on September 14, 2022, 11:07:16 AM
Yes. I thought it's self-explanatory.
Yes it is, but its not clear whats really inside :)

Set the OPNsense IP as redirect target IP instead of an alias. Now I see, that the alias contains an v6 address, this will not work. You have to configure two redirect rules, one for v4 and one for v6.
Text only | Text with Images