Force redirect DNS to pihole

[mayo]

I have actually tinkered with this myself recently, and ultimately implemented the following, which turns out to be working very well.

My objective was also to catch and redirect all DNS queries towards pi-hole, which in return uses OPNsense as Unbound DNS resolver.

Course of action:
First, I created a new VLAN dedicated for my pi-hole. This is not required, but I decided to do so because of security considerations. The VLAN is firewalled, is not allowed to pass traffic to any other VLAN, and is only allowed to use TCP/UDP 53 outbound to ANY (as I am querying the root servers directly using Unbound) for DNS, and using HTTP/HTTPS to connect to the internet, to fetch updates.

Then I installed pi-hole, and selected the interface IP of the pi-hole VLAN as upstream DNS server.
That way, pi-hole will filter ads, but uses Unbound on OPNsense to do the actual lookup.
You could also install Unbound on the pi-hole itself and offload everything there, but I decided not to do so.
I then fine-tuned everything to my needs (blocklists, black/whitelisting, etc.), and considered that part done.

Next, I wanted to be sure that all DNS queries are sent to the pi-hole, for my VLANs I have setup.
For that, I used a NAT Port Forward rule, which is configured as follows: https://imgur.com/NzJUFPG

Details of this rule are:
- Interface - select your required interfaces to which this rule applies
- TCP/IP version - IPv4
- Protocol - TCP/UDP
- Source - do not select
- Destination/Invert - do not check
- Destination - Any
- Destination port range - DNS
- Redirect target IP - Your pi-hole IP address (I created an alias for it)
- Redirect target port - DNS
- Pool Options: Default
- Description - Redirect and pass DNS
- NAT reflection - Disable
- Filter rule association - Pass (I decided to choose pass, as this will reduce the amount of separate pass rules you need to create per interface)

I have also created an identical second rule, that is disabled, with the only difference that it contains the local loopback (127.0.0.1) address as Redirect Target IP, which is the firewall itself. This is a method of last resort, in case the pi-hole breaks down, or is unavailable for whatever reason.
I simply switch on this NAT rule and disable the other one, and remain up and running.
You need to be aware though that in case this is applied, advertisements are no longer blocked, unless you utilize the Unbound built-in blacklisting capabilities (Services > Unbound DNS > Blacklist). For peace of mind you could simply enable a fallback blacklist there, but I didn't care at this point in time. Perhaps some point of improvement towards the future :).

Last, but not least, let's test this out in practice, by going to https://dnsleaktest.com/. If all goes well, and you have applied the setup like I have depicted, you will see the WAN IP of your ISP there. If you have selected different DNS upstream servers, you will see these appearing here. Simply change the DNS server on one of your LAN devices, and run the test again to see if the redirection works.

I hope this is helpful to others!

Not working for me... when I enable this rule I loose the connection, unable to navigate.

[Xelas]

My spouse and I work from home and are both on calls at night fairly often, and kids are school-from-home, so I have had very few opportunities to mess with the router. I'll have some opportunities over the weekend and will try a couple of these approaches. I'll try mg82's cute NAT+ VLAN-based approach and AhnHEL's purely NAT-based one.

I think I understand both approaches, except for one thing in ahnHEL's. Why does that approach need global auto NAT reflection? I think that is a workaround because of this part:

3.  Go to Firewall/Rules/LAN and create a firewall rule to PASS from your PiHole to the LAN ADDRESS on port 53 and place it below the above Associated Filter Rule.

        PROTO        SOURCE      PORT    DESTINATION       PORT

>    TCP/UDP      PIHOLE IP     ANY     LAN ADDRESS     53(DNS)

I think the "below" is a mistake, and the rule will never actually fire because any port 53 traffic from the pihole to another LAN IP (as it is trying to respond to a DNS query) will get blocked by the the rule above it outlined in step 2:

2. Go to Firewall/NAT/Port Forward and setup rule like below.

           INT      PROTO         SOURCE      PORT    DESTINATION       PORT              NAT IP           NAT PORT

<->    LAN    TCP/UDP          ANY          ANY    !LAN ADDRESS     53(DNS)        (PIHOLE IP)        53(DNS)
                                                                                                                     172.16.1.5

Be sure to create the Associated Filter Rule with the above Port Forward and place it at the top of your LAN Rules.

You probably want to "PASS" DNS traffic going from the pihole to any valid interface including the router itself or even directly to the WAN gateway if your pihole is exclusively managing DNS for your networks. You want to pass port 53 to LAN or LAN/WAN before it hits that NAT rule, right? In that case:

>    TCP/UDP      PIHOLE IP     ANY     LAN ADDRESS     53(DNS)

needs to be ABOVE:

<->    LAN    TCP/UDP          ANY          ANY    !LAN ADDRESS     53(DNS)        (PIHOLE IP)        53(DNS)

right?
Then you won't need to set up a global NAT Reflection that affects all of your NAT rules, and not just this one.

I may be off base with this - thoughts?

[annoniempjuh]

i did the same as mg82, created a vlan pure for pi-hole.
those vlans cant talk to each other, only the redirect allow dns traffic to pihole: (see attachment)
then a create under NAT: port forward, for every interface that need to use pi-hole a rule (see attachment)
The rule it self is elso in the attachment.
i didn't touch anything in NAT and DHCP, those are Default.
Pi-hole itself use unbound.

[Xelas]

i did the same as mg82, created a vlan pure for pi-hole.
those vlans cant talk to each other, only the redirect allow dns traffic to pihole: (see attachment)
then a create under NAT: port forward, for every interface that need to use pi-hole a rule (see attachment)
The rule it self is elso in the attachment.
i didn't touch anything in NAT and DHCP, those are Default.
Pi-hole itself use unbound.

Thank you! Do you have destination/invert checked for the port 53 redirect NAT rules? You are explicitly blocking all traffic from the pihole to the LANs with no exceptions, so I assume that the NAT destination/invert rule takes care of that and that it is is higher up in the order that the rules get processed. Otherwise, I can't see how the clients get their DNS responses back.
Did I get that right?

[decalpha]

I have this working with 20.1.9_1, followed the steps listed below:

https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/

[annoniempjuh]

Thank you! Do you have destination/invert checked for the port 53 redirect NAT rules? You are explicitly blocking all traffic from the pihole to the LANs with no exceptions, so I assume that the NAT destination/invert rule takes care of that and that it is is higher up in the order that the rules get processed. Otherwise, I can't see how the clients get their DNS responses back.
Did I get that right?

if you checked the attachment you did see that sources/invert and destination/invert are checked ;)
Not only pi-hole vlan can't talk to other interfaces, they also can't talk to pi-hole (expect "lan" this use the default "allow to all" rule)
if i disable this rule, no one can access Pihole dns (expect "lan")

see under this message a attachment of the firewall rules from "Guest Lan":

[Xelas]

I have this working with 20.1.9_1, followed the steps listed below:

https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/

Most of the guides on the internet, such as the one you are linking to, are blocking Dns queries from clients that try to get around the pihole. We're redirecting the dns queries to the pihole via NAT.

[samsonmcnulty]

I have this working with 20.1.9_1, followed the steps listed below:

https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/

I probably need to update this