Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: seion on August 31, 2023, 03:29:08 PM

Title: Intercept External DNS Request - SOLVED
Post by: seion on August 31, 2023, 03:29:08 PM
So here is my current setup:
- OPNSense, latest version
- Unbound Turned OFF
- AdGuardHome Plugin on OPNSense running on 53

I have 2 rules to BLOCK any 53/853 traffic that is not "This Firewall" which worked just fine. (See screenshot with 2 rules attached).

My issue is that random stuff in my house wont work because they are hard coding google DNS into them. So my idea was to intercept those requests and point them to my internal DNS (AdGuardHome). So I looked it up in google and a couple of pages showed how to setup a port forward rule to redirect 53 to 127.0.0.1. I set this up but I cannot get it to work.

When I do a `nslookup google.com 8.8.8.8` it times out.

Attached are some screenshots of my rules, I left the blocks in place but put them after the redirect rule. If anyone has some ideas on how to get this to work, please let me know.

Title: Re: Intercept External DNS Request
Post by: cookiemonster on August 31, 2023, 05:31:47 PM
try redirecting it to the ip address of the interface. Soo say this is the LAN and the ip of it is 192.168.10.1 then that's what you redirect to. Otherwise post the output of "sockstat -l" that is a uncapitalized "L" and needs sudo.
What we're after is what ip have a dns listener.
Title: Re: Intercept External DNS Request
Post by: seion on August 31, 2023, 09:10:05 PM
This fixed the issue, I changed the port forward to forward to the LAN Router Address (11.12.13.1) also ran the the sockstat

root@SeionRouter:~ # sockstat -l | grep :53
root     AdGuardHom 77597 15 udp4   11.12.13.1:53         *:*
root     AdGuardHom 77597 21 tcp4   11.12.13.1:53         *:*

I was also having an issue with domains resolving directly from the router shell (pkg update was not working) and I think its the same reason.

Is there a way make it work so that 127.0.0.1 works because the /etc/resolv.conf is pointing to itself and that wont work for the same reasons as this original post. Make AdGuardHome listen on all interfaces (except wan??)
Title: Re: Intercept External DNS Request
Post by: Patrick M. Hausen on August 31, 2023, 09:20:53 PM
I have AGH listen on 127.0.0.1 and NAT port forward rules on each interface where clients use AGH.
Title: Re: Intercept External DNS Request
Post by: seion on August 31, 2023, 09:24:25 PM
I'll start digging into AGH on how to change on what ip its listening on, unless you can tell me pretty quickly lol
Title: Re: Intercept External DNS Request
Post by: seion on August 31, 2023, 09:41:57 PM
Figured it out. The files are in /usr/local/AdGuardHome and updated the yaml file to bind to 0.0.0.0 and that fixed my package problem and my other problem. Thanks all
Text only | Text with Images