Hi,
I set up DNS enforcement on my OPNsense home network to force all devices through my local Unbound resolver (with blocklists), regardless of their configured DNS server.
Setup:
- LAN firewall rules: pass DNS to OPNsense, block DNS to anywhere else, block DoT (port 853)
- Destination NAT rule redirecting all port 53 traffic to OPNsense (self)
Problem:
Computers, VMs and Docker containers already using OPNsense as their DNS server started experiencing intermittent timeouts. The NAT redirect was intercepting their queries (already correctly destined for OPNsense) and creating a redirect loop.
Fix:
Added a "no redirect" NAT rule, matching DNS traffic already destined for OPNsense, before the destination NAT rule redirecting all port 53 traffic to OPNsense.
Final NAT order:
- No redirection for DNS already targeting OPNsense
- Redirect everything else to OPNsense
How did/does your re-direct rule look like exactly ?
My guess is you have been filtering ALL DNS TRAFFIC instead of just DNS traffic that isn't going to OPNsense ?
Hey nero355,
You're right, I did not see the "invert destination" option. Now I did check it and specified my firewall.
Thanks to you, I had a better look at it!
Quote from: TarteTatin on April 20, 2026, 07:08:22 PMYou're right, I did not see the "invert destination" option. Now I did check it and specified my firewall.
Thanks to you, I had a better look at it!
COOL! :)