OPNsense Forum

English Forums => General Discussion => Topic started by: terry274 on May 25, 2022, 04:17:07 pm

Title: redirect dns
Post by: terry274 on May 25, 2022, 04:17:07 pm
I have a port forward redirect rule for DNS. I can see in the logs that the rule works. However, some DNS continues to go out from the WAN, to servers that are not what I have setup in Unbound.
I am referring to the 8.8.8.8 destination in the picture.
How do I set up OPNsense to only allow the DNS server I specify?

Edit: I noticed the packets I am seeing are ICMP packets, not DNS lookups. 

(https://i.ibb.co/GQXMJ1v/anything-out.png)

(https://i.ibb.co/hBCPHjb/rdr.png)
Title: Re: redirect dns
Post by: tiermutter on May 25, 2022, 05:51:22 pm
The log only shows some ICMP (eg ping) to 8.8.8.8, thats not DNS traffic and you have not to worry about.
I guess you are redirecting all 53/DNS, but remember that DoH, DoT or (maybe) DoQ will not be redirected and consequently answered by non-desired servers outside your LAN.
Title: Re: redirect dns
Post by: Vilhonator on May 31, 2022, 07:44:11 pm
Unless you host your very own public DNS servers, you can't completely controll which DNS servers recieve requests.

Anyway, the way how DNS redierection works is that it prevents computers within that network using google dns.

Let's say that domain name your opnsesne uses is opnsense.home.tease and it's private ip is 192.168.1.1 and you created dns redirect rule. Way you know it works is by opening command prompt, and typing nslookup 192.168.1.1 8.8.8.8.

if result is:

Server:  dns.google
Address:  8.8.8.8

Name:    opnsense.home.tease
Address:  192.168.1.1

Then it is working.

DNS redirection is mostly usefull on corporate and school networks, when you want to hide primary DNS server but still need a DNS server with records to intranet stuff or use DNS blocking and prevent people bypassing it by simply changing the DNS server.