Cannot get forced redirect of DNS to Pihole

[shadesh]

To solve things like this:

Code: [Select]

dig @8.8.8.8 heise.de   
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
Where 10.20.30.4 is one of my internal DNS server.

[spetrillo]

I have implemented both port forward and the outbound NAT. I turned on hybrid outbound NAT rule generation, so I got the manual rule first and the automatic rules after. Attached is the outbound NAT and the port forward. Do they look right? First time doing this and want to make sure I am good to go! I am testing this on my IoT vlan, as this is where the devices that would bypass my Pi-Hole and DNS would be.

This begs the final question...how do I know if this is working for my devices?

[ChrisChros]

It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.

Hi,

Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled

Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address

This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.

When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.

Maybe it can be done in an easier way. Open to suggestions.

I followed your suggestion and converted it to my needs. I am running AdGuard on the same box OPNsense is running. AdGuard is pointing to unbound on port 5335 to do the DNS-resolving with DoT.

The port forward rule is looking like this:
Interface: local_Networks (group with all networks as members)
Protocol: TCP/UDP
Source: invert -> This Firewall
Source Port: Any
Destination: invert -> local_Networks net
Destination Port: DNS
Redirect Target: 127.0.0.1
Redirect Port: DNS
Nat Reflection: Disabled

outbound NAT translation is looking like this:
Interface: local_Networks
Protocol: any
Source: invert -> This Firewall
Source Port: Any
Destination: This Firewall
Destination Port: DNS
Translation/Target: interface address

Unfortunately when I do a nslookup the result is not as expected:

Code: [Select]

nslookup yahoo.com 9.9.9.9
;; reply from unexpected source: 192.168.1.1#53, expected 9.9.9.9#53
Where is my fault?

Regards Chris

[ChrisChros]

Another problem which I have with my IoT devices is, that same of them will not work with this rules, especially my Google Nest mini, while the Google Home mini is working as normal.

The Chromecast device I have not tested yet, first I want to solve the Nest mini behavior.

Has someone else the same problems with the Nest mini devices to force them to use the internal DNS resolver?

UPDATE:
So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".

[D0doooh]

UPDATE:
So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".

Hi
I just ran into the same problems here too, could you show your settings exactly how you set them in the end?

[ChrisChros]

Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...
https://labzilla.io/blog/force-dns-pihole
For the Port Forward rules take care that "NAT reflection" is set to disabled.

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

I hope this will help you to setup your firewall.