To restrict client DNS to only the specific servers configured on a firewall, a port forward may be used to capture all DNS requests sent to other servers.Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost, or All interfaces.In the following example, the LAN interface is used, but it could be used for any local interface. Change the Interface and Destination as needed.Navigate to Firewall > NAT, Port Forward tabClick fa-level-up Add to create a new ruleFill in the following fields on the port forward rule:Interface: LANProtocol: TCP/UDPDestination: Invert Match checked, LAN AddressDestination Port Range: 53 (DNS)Redirect Target IP: 127.0.0.1Redirect Target Port: 53 (DNS)Description: Redirect DNSNAT Reflection: Disable
This procedure will allow the firewall to block DNS requests to servers that are off this network. This can force DNS requests from local clients to use the DNS Forwarder or Resolver on OPNSense for resolution. When combined with OpenDNS, this allows DNS-based content filtering to be enforced on the local network.Setup OpenDNS servers (or whatever DNS servers are preferred) in System > General.Add a firewall rule on Firewall > Rules, LAN tab permitting TCP/UDP source:any to the firewalls LAN IP Address, port 53 (destination IP and port)Move this newly created rule from step #2 to the very top of the LAN rulesAdd a new rule blocking protocol TCP/UDP source:any destination:any.Move the rule created in step #4 to the second position behind the permit rule that was moved in step #3.That’s it. Enjoy the fact that the hosts behind OPNSense can only talk to the built in DNS resolver running on LAN which uses your DNS.
