Print Page - Enforcing DNS through OPNsense - NAT redirect issue and fix

Title: Enforcing DNS through OPNsense - NAT redirect issue and fix
Post by: TarteTatin on April 20, 2026, 11:03:21 AM

Hi,

I set up DNS enforcement on my OPNsense home network to force all devices through my local Unbound resolver (with blocklists), regardless of their configured DNS server.

Setup:

LAN firewall rules: pass DNS to OPNsense, block DNS to anywhere else, block DoT (port 853)
Destination NAT rule redirecting all port 53 traffic to OPNsense (self)

Problem:
Computers, VMs and Docker containers already using OPNsense as their DNS server started experiencing intermittent timeouts. The NAT redirect was intercepting their queries (already correctly destined for OPNsense) and creating a redirect loop.

Fix:
Added a "no redirect" NAT rule, matching DNS traffic already destined for OPNsense, before the destination NAT rule redirecting all port 53 traffic to OPNsense.

Final NAT order:

No redirection for DNS already targeting OPNsense
Redirect everything else to OPNsense

Title: Re: Enforcing DNS through OPNsense - NAT redirect issue and fix
Post by: nero355 on April 20, 2026, 02:40:50 PM

How did/does your re-direct rule look like exactly ?

My guess is you have been filtering ALL DNS TRAFFIC instead of just DNS traffic that isn't going to OPNsense ?

OPNsense Forum

English Forums => 26.1, 26,4 Series => Topic started by: TarteTatin on April 20, 2026, 11:03:21 AM