Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ignasi on February 07, 2025, 01:25:56 PM

Title: Redirect all DNS queries but those that go to our own servers
Post by: ignasi on February 07, 2025, 01:25:56 PM
hello, and TIA for your help. I'm quite new in OPNsense and I still have trouble understanding rules.

We have 2 DNS servers in our LAN as follows:
1.- 192.168.40.254, our OPNsense firewall, resolving the LAN domain and the Internet querying 1.1.1.1 and 1.0.0.1 (opnsense system DNS)
2.- 192.168.40.11, in our main DC server, resolving AD and LAN domains, and the Internet as well through queries to 192.168.40.254

We have a firewall rule blocking all queries from LAN to any internet DNS server. However, for those devices (mostly mobile phones and tablets) that do not like follow our DHCP rules and connect to whatever DNS server their maker wants to, I'd like to create a Redirect rule that take them to 192.168.40.254. However, all howto I've seen would not respect queries done to 192.168.40.11, redirecting by default all queries no matter where they are sent, to 192.168.40.254.


In short, what I need is a rule in my LAN that for all queries that don't go to either 192.168.40.254 or 192.168.40.11, go to 192.168.40.254


Could anyone please help me with this?

TIA

Ignacio
Title: Re: Redirect all DNS queries but those that go to our own servers
Post by: viragomann on February 07, 2025, 02:03:50 PM
Quote from: ignasi on February 07, 2025, 01:25:56 PMIn short, what I need is a rule in my LAN that for all queries that don't go to either 192.168.40.254 or 192.168.40.11, go to 192.168.40.254

So create an alias, say "myDNSservers", and add both DNS server to it.

Then edit the port forwarding rule, at destination check "invert" and enter the alias below.
Now this rule is only applied to any other destination.

However, I'm in doubt that this will lead your mobile devices to use your local DNS server. I suspect, they use DNS over HTTPS (DoH). You can only prohibit this by blocking access to DoH servers. There are feeds in the internet with server IPs, which you can use in block rules.
Title: Re: Redirect all DNS queries but those that go to our own servers
Post by: ignasi on February 07, 2025, 02:22:12 PM
Quote from: viragomann on February 07, 2025, 02:03:50 PM
Quote from: ignasi on February 07, 2025, 01:25:56 PMIn short, what I need is a rule in my LAN that for all queries that don't go to either 192.168.40.254 or 192.168.40.11, go to 192.168.40.254

So create an alias, say "myDNSservers", and add both DNS server to it.

Then edit the port forwarding rule, at destination check "invert" and enter the alias below.
Now this rule is only applied to any other destination.

However, I'm in doubt that this will lead your mobile devices to use your local DNS server. I suspect, they use DNS over HTTPS (DoH). You can only prohibit this by blocking access to DoH servers. There are feeds in the internet with server IPs, which you can use in block rules.

Thanks so much for your help. Yes. I've already got a list of DoH servers.

Regards,

Ignacio
Text only | Text with Images