OPNsense Forum
English Forums => General Discussion => Topic started by: guest33999 on July 18, 2022, 02:26:37 pm
-
For the past week i've been trying to redirect DNS request to use my internal DNS. Unfortunately, i can't get it to work.
2 days ago i decided to create a new test setup on a separate VLAN and added a DNS server (i'm using PiHole with unbound). i wen't back to basics and went one step at a time, kept track of every action and tested every option.
For now, i've managed to BLOCK all DNS requests. But i just can't seem to get my internal DNS to be allowed access. I'm getting really desperate here. Either this simply doesn't work or i just can't figure it out.
i made a simple diagram to showcase the setup (it's similar to the live environment, but with less stops in between):
https://imgur.com/nkNXDrT
here's an overview of the rules i've tested (you can ignore the NAT section for now. I haven't even managed to get that far)
https://imgur.com/p7Ob1CT
and here are my test results so far:
https://imgur.com/3NRbRzc
Can someone help me? i don't know what to do anymore.
Edit:
small update. i just realised i hadn't put this in the diagram above, but my OPNsense firewall itself has an IP address of 192.168.10.1
-
I am running a similar setup using Adguard Home on a VM as my internal DNS server/adblocker. I used the info in the discussion at the link below to set everything up.
https://forum.opnsense.org/index.php?topic=22162 (https://forum.opnsense.org/index.php?topic=22162)
-
For the past week i've been trying to redirect DNS request to use my internal DNS. Unfortunately, i can't get it to work.
Indeed that link that CGrisamore provided is a proven method.
If you want to make it work in a different way, it would be helpful to know what is that doesn't work.
Also, if you're open to using AdguardHome instead of PiHole, then there is a plugin you can install on OPN and it's pretty much all made easy.
-
I've read the discussion. Since everyone is talking about ADG its a bit hard to translate things to pihole, but the NAT rule in that discussion doesn't work for me.
to clarify (@cookiemonster), when i set that rule, i can't load any websites, nor can i ping a domain name. And this is with only the NAT rule, no firewall rules (except an allow all traffic).
I had to laugh a bit when you said it would be helpful to know what doesn't work. As for me it feels crystal clear, either i have internet (websites load etc) but no redirect, or nothing loads (so no domain names are being resolved). Trying to explain things to others, sometimes we skip the obvious info.
The first idea was simply to redirect DNS to my internal DNS servers. Later i thought, why not block DNS all together and only allow my DNS servers outside (And see what happens). But neither configurations have been anywhere succesful.
According to the openingpost that was linked, my NAT rule would look like this. (192.168.99.11 is my Test DNS server, VLANTEST is (obviously) my test network).
Interface: VLANTEST
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: VLANTEST address
Destination port range: From: DNS - To: DNS
Redirect target IP: 192.168.99.11
Redirect target port: DNS
NAT Reflection: Disable
most interestingly is that the DNS server itself can't even ping google.com for example. To note: this is without any firewall rules in play, nothing is being blocked.
edit:
added an small update to my starting post (added OPNsense IP address).
-
I just did a test where i skipped the PiHole DNS server altogether and see if the redirect even works (in my scenario).
I changed the DNS server that is given with DHCP to google's 8.8.8.8. (Services > DHCPv4 > VLANTEST > DNS servers).
result: websites load, ping works. DNSleaktest tells me i am using Google DNS.
Next i manually set the DNS server on my client to cloudflare 1.1.1.1.
result: websites load, ping works. DNSleaktest tells me i am using cloudflare DNS.
next i enabled the above NAT rule (but instead of redirecting it to my internal DNS, i forwarded it to OpenDNS 208.67.222.222)
Interface: VLANTEST
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: VLANTEST address
Destination port range: From: DNS - To: DNS
Redirect target IP: 208.67.222.222
Redirect target port: DNS
NAT Reflection: Disable
Results: websites load, ping works. and DNSleaktest tells me i am using OpenDNS.
So it seems the problem lies with my DNS server, probably more specifically: the flow of DNS queries. at least, thats how i see it currently.
-
Can you change that from:
Destination: VLANTEST address
to:
Destination: VLANTEST NET
and try again?
It might work or not. There are a couple of places to setup for the overall setup. Are you using Unbound in OPN or _in_ PiHole?
Also what values do you have in OPN for System>Settings>General for DNS?
My Firewall settings have Redirection for Port Forwards and Automatic NAT for Reflection. So when I create the Port Forward rule, it automatically creates the related rule for LAN and every interface, including VLANs.
My NAT Oubound rules are in Hybrid mode.
-
Changing from VLANTEST address >> VLANTEST net, didn't make a difference.
About Unbound, Technically speaking, i am using unbound on pihole. But unbound on OPN is also (still) enabled.
Without the firewall rules and all, it worked. So i never touched it as i wasn't sure what that might do.
OPN is also my internal resolver for hostnames (for example: ping MYCOMPUTER). This is also configured in PiHole via "conditional forwarding".
The only things ticked in OPN unbound is: enabled, DHCP registration, and DHCP static mappings. That led me to believe it always needed to be on so that pihole could resolve hostnames on the local network. At least, thats what i always thought.
When i create a NAT rule, it also makes a firewall rule.
Originally my NAT Outbound was set to "automatic", but i changed that to "Hybrid" duo to some testing. But no differences there compared to when it was set to "automatic"
-
So, i've set my DHCP dns server to google's 8.8.8.8.
My clients DNS server is 1.1.1.1
and my Pihole upstream DNS is OpenDNS 208.67.222.222
This so that i can tell the difference in what is being used when.
With the following NAT rule:
Interface: VLANTEST
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: 8.8.8.8
Destination port range: From: DNS - To: DNS
Redirect target IP: 192.168.99.11
Redirect target port: DNS
NAT Reflection: Disable
My client and DNS server can neither resolve any domain names. However, PiHole does register the request (in the Query Log, it lists the time and date, client and domain). So it looks like the requests are being received (and that means they are being redirected).
Now the question is, why can't my DNS server get throught the firewall, or receive DNS info back...
-
"From: DNS" is wrong for the port range. DNS clients use random source ports. Only the destination port is well defined and always 53.
-
"From: DNS" is wrong for the port range. DNS clients use random source ports. Only the destination port is well defined and always 53.
If i understand you correctly, i think you have the wrong assumption here. The "From" in my code segments, is the port Range of the Destination. Not the "Source". Unless you're talking about something else :)
My "Source" ports in the NAT rule is set to ANY.
---------------------------------------------------------------------
I came to realize something earlier. I have installed Unbound on my PiHole DNS server, so PiHole upstreams to the localhost (127.0.0.1#5335). But Unbound on the other hand, sends DNS queries to nameservers (.com, .net etc) on, and i presume here, the same DNS port 53 (according to the creator of PiHole).
So the Port Forward i described, would create an infinite loop. Since Unbound requests info from a nameserver, which is obviously not my internal DNS, it gets redirected back to PiHole.
At least, thats my theory.
I just tested it by excluding my PiHole DNS server from the NAT rule and i can now Ping domain names from the DNS server. But the redirect isn't working. On my client with 1.1.1.1, i can't resolve any domain names unfortunately :(
Interface: VLANTEST
Protocol: TCP/UDP
Source /Invert: Ticked
Source: 192.168.99.11
Source Port range: From: Any - To: Any
Destination / Invert: Ticked
Destination: 8.8.8.8
Destination port range: From: DNS - To: DNS
Redirect target IP: 192.168.99.11
Redirect target port: DNS
NAT Reflection: Disable
To be continued...
-
So i stumbled upon a rather correct and detailed guide on LabZilla (https://labzilla.io/blog/force-dns-pihole)
i tried out those rules and everything worked. I'm able to resolve domain names on both PiHole and the clients, and DNS is being redirected to my DNS server.
I was getting close with last post. Traffic wasn't going to where it was supposed to be. I had the first rule
NAT Rule 1: Redirect DNS queries to PiHole
Interface: VLANTEST
Protcol: TCP/UDP
Source: VLANTEST net
Source Port range: From: Any - To: Any
Destination / Invert: Ticked
Destination: 192.168.99.11
Destination Port Range: From: DNS - To: DNS
Redirect Target IP: 192.168.99.11
Redirect Target Port: DNS
But what i mostly tried was to add a firewall rule to allow traffic from my DNS server. Instead, i needed to create another NAT rule, but without the port forwarding.
NAT Rule 2: Exempt PiHole from DNS query redirects (Above Rule 1)
No RDR (NOT): Ticked
Interface: VLANTEST
Protcol: TCP/UDP
Source: VLANTEST net
Destination: Any
Destination Port Range: From: DNS - To: DNS
.
I also added the 3rd rule the author described, to Firewall > NAT > Outbound. I'm not sure if i will come across it but i added it just to be sure.
NAT Rule 3: Prevent clients from giving unexpected source errors
Interface: VLANTEST
TCP/IP Version: IPv4
Protcol: Any
Source: VLANTEST net
Source Port range: Any
Destination: 192.168.99.11
Destination Port: DNS
Translation / Target: Interface address
Translation / Port: EMPTY
All in all, over a week of blood, sweat and tears, i finally got what i wanted.
-
"From: DNS" is wrong for the port range. DNS clients use random source ports. Only the destination port is well defined and always 53.
Patrick,
I tried to follow:
https://homenetworkguy.com/how-to/redirect-all-dns-requests-to-local-dns-resolver/
and with you recommendation above, I am still unable to do this for both IPv4 and IPv6. Not sure what's missing.
-
If i understand you correctly, i think you have the wrong assumption here. The "From" in my code segments, is the port Range of the Destination. Not the "Source". Unless you're talking about something else :)
Yes, sorry. I misread your post. Glad you got it to work.