OPNsense Forum

English Forums => General Discussion => Topic started by: klausneil on May 24, 2016, 12:40:30 am

Title: opnsense block google dns
Post by: klausneil on May 24, 2016, 12:40:30 am

Hi, anybody tell me how can i block the use of google dns (example 8.8.8.8) and only allow my dns server opnsense 192.168.1.1 because when they (my lan) use the google dns, they surfing my politic.

Title: Re: opnsense block google dns
Post by: fabian on May 24, 2016, 01:00:35 pm

I would use a destination NAT to redirect the traffic to your local DNS server.

Title: Re: opnsense block google dns
Post by: klausneil on May 25, 2016, 05:58:16 am

Please excuse me my ignorancy but you can tell me how make this? i see NAT (forwarding,1:1,npt,outbound) and also it allows me to masquerading my internal ip when getting out

Title: Re: opnsense block google dns
Post by: fabian on May 25, 2016, 11:01:47 am

It works the same way like the rule for the transparent proxy - just a different port https://docs.opnsense.org/manual/how-tos/proxytransparent.html#step-3-nat-firewall-rule

Title: Re: opnsense block google dns
Post by: klausneil on May 26, 2016, 04:09:44 am

Hi fabian, i follow the link but tjis not work i can access to internet with 8.8.8.8.8 my rule is this:

Interface                    LAN
Protocol                    TCP
Source                         LAN net
Source port range         any - any
Destination            any
Destination port range      DNS - DNS
Redirect target IP         192.168.10.3
Redirect target port         DNS
Description            Redirect traffic to DNS
NAT reflection            Enable (NAT + Proxy)
Filter rule association      Add associated filter rule

Please help me.

Title: Re: opnsense block google dns
Post by: fabian on May 26, 2016, 12:22:29 pm

DNS can use UDP and TCP (usually uses UDP) - sorry - forgot to mention this.

Title: Re: opnsense block google dns
Post by: klausneil on May 26, 2016, 06:58:58 pm

Ok fabian but my rule i configure with TCP/UDP but nothig, why is this or i can see in the log?

Title: Re: opnsense block google dns
Post by: fabian on May 26, 2016, 10:25:13 pm

It should work - did you check it using the packet capture on the wan interface of OPNsense?

Title: Re: opnsense block google dns
Post by: klausneil on May 27, 2016, 12:29:11 am

No,. i dont have a packet capture on my wan, how i can active this options.

Title: Re: opnsense block google dns
Post by: bartjsmit on May 27, 2016, 08:24:45 am

You do :-)

Run tcpdump from the OPNsense command line and capture the WAN traffic to a file. Copy the output file to your workstation and open it in Wireshark for analysis.

Bart...

Title: Re: opnsense block google dns
Post by: franco on May 27, 2016, 10:55:03 am

There's also a GUI for this under Interfaces: Diagnostics: Packet Capture (or similar, I have the German GUI enabled at this time).

Title: Re: opnsense block google dns
Post by: klausneil on May 27, 2016, 09:33:14 pm

i see that when i try access google.com this pass to my dns server (192.16810.3)

Capture output
14:19:33.886357 IP 192.168.15.63.57064 > 192.168.10.3.53: UDP, length 33
14:19:33.887117 IP 192.168.10.3.53 > 192.168.15.63.57064: UDP, length 409
14:19:34.126850 IP 192.168.10.3.53 > 192.168.15.12.33918: UDP, length 76

But when change my network configuration in windows xp and my dns is 8.8.8.8 i see this

14:31:32.504219 IP 192.168.15.29.1084 > 8.8.8.8.53: UDP, length 28
14:31:32.537415 IP 8.8.8.8.53 > 192.168.15.29.1084: UDP, length 404
14:31:32.698034 IP 192.168.15.29.1084 > 8.8.8.8.53: UDP, length 35

But my rule firewall not work because not redirect all trafic 53 to 192.168.10.3