Messages

1

Tutorials and FAQs / Re: HOWTO - Redirect all DNS Requests to Opnsense

« on: January 17, 2024, 03:05:07 pm »

It works now for me, I'm not sure I remember what I changed.

I have a NAT rule that redirects TCP/UDP 53 to 127.0.0.1 and one for ::1 and now the DNS lookups are corrected redirected and correctly answered, with source IP "faked".

But you use the Adguard on your OPNsense firewall or on a dedicated server on your lan network?

2

Tutorials and FAQs / Re: HOWTO - Redirect all DNS Requests to Opnsense

« on: January 17, 2024, 08:33:23 am »

So I fixed the issue with AdGuard not starting: it seems it has issues parsing specific IPv6. This works:

Code: [Select]

  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1
    - ::1
    - 'fd00:1::'

But, the problem remains, a DNS request to 1.1.1.1 for example is properly redirected to AdGuard, but the answer does not make it to the client initiating the request.

In the packet capture done on the client (laptop) I can see what the reason is: the DNS request goes to 1.1.1.1, as expected, but the answer is coming from 192.168.1.1, which of course is then ignored.

Does someone know how I can get the Source IP "faked" on the way back? Or is that not really possible?

It's not really that important, it's in case I have a device on my home network with a hardcoded DNS server, but it would be useful in this case.

I had the same problem and the reason is that the DNS request from the client with be answered by the AdGuard server directly to the client, because the systems are in the same network. The IP of the answer will be rewrite by the firewall, because the OPNsense redirected the traffic. There are currently two solutions, which I found out.

• Put the AdGuard server to a new subnet to use OPNsense for network traffic.
• Change the netmask of the AdGuard server to 255.255.255.255

But keep in mind that for both options all the traffic will be route via the OPNsense firewall and not anymore directly at the same network!