Cannot get forced redirect of DNS to Pihole

[dudeman21]

I'm trying to have all DNS traffic on my LAN redirected to my pihole. I've looked at several guides and tutorials and I think I have it setup properly but it doesn't seem to work.

My pihole is on 192.168.1.22

My Port Forward rule is (see screenshot):

Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: DNS
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled

https://imgur.com/UnEzcka

In the firewall rules LAN interface, I moved the rule that was created to the top (just under the automatic rules).

When I run 'nslookup test.com 192.168.1.22' I can see the lookup in the pihole logs. But when I run 'nslookup car.com 8.8.8.8', I don't see the lookup in the pihole logs meaning that it was able to look up directly to 8.8.8.8 and bypass the pihole.

Is there anything that I'm missing?

Thanks.

[lenny]

Why you invert the address?

DHCP -> DNS -> IP Pihole
LAN Rule:
Pihole Ip -> any tcp/udp:53

thats all.

[dudeman21]

The pihole already works correctly in terms of being pushed to users via DHCP. I want to setup a rule to force some devices that have hard coded DNS servers and don't respect the DHCP settings.

The idea being that the router will intercept any packets going on port 53 that are trying to leave the LAN network and port forward them to the pihole. Of course the pihole needs to be able to communicate with an external DNS, so the source IP is inverted to that traffic coming from the pihole is not affected.

My thinking is as follow:

All traffic on port 53 trying to leave the LAN network should be redirected to 192.168.1.22 (pihole) with the exception of traffic originating from the pihole itself, in which case it should be able to access an external DNS server (such as 8.8.8.8 ). I've experimented with the destination being !192.168.1.22 and also !LANADDRESS and neither works.

Here is a full screenshot of the port forward settings. After making this rule, I have moved the rule to the top of the LAN firewall rules (just under the automatic rules)

https://imgur.com/hiNioe4

[lenny]

if you want to redirect it, a NAT is great;)
You then forward all DNS traffic to your Pihole.

you have to build a rule that all DNS requests from your LAN are forwarded to your pihole IP.
then that should work, I think.

[dudeman21]

you have to build a rule that all DNS requests from your LAN are forwarded to your pihole IP.
then that should work, I think.

I thought that's what I thought I had with the port forward rule, is there another rule I need to make?  The port forward rule automatically creates a rule on the LAN interface which I have placed at the very top to get first priority. Any idea what else I need? Thanks.

[Northguy]

It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.

[meazz1]

Why you invert the address?

DHCP -> DNS -> IP Pihole
LAN Rule:
Pihole Ip -> any tcp/udp:53

thats all.

I'm facing similar issue.
Where do I add the LAN rule? can you please clarify?
Does it do into
Firewall --> rules --> LAN --> add -->??

[Northguy]

It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.

Hi,

Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled

Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address

This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.

When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.

Maybe it can be done in an easier way. Open to suggestions.

[meazz1]

Thanks Northguy!
One more question, is there a package/plugin similar to "pi hole" for opnsense?
I saw one called sunnyvalley but not sure if this can take place of phhole or it's an overkill for a basic home usage.

[dudeman21]

It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.

Hi,

Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled

Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address

This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.

When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.

Maybe it can be done in an easier way. Open to suggestions.

Thank you so much for this! It works perfectly. I can now do ''nslookup car.com 1.1.1.1" and it will show up in the pi-hole logs.

Just a note for the noobs like me: when setting a specific IP address like 192.168.1.22 if there is a box next to it, set it to /32. (32 specifies a specific IP address).

Also this seemed to work better if for the out bound NAT rule I set the source port to DNS (53) instead of any. But for the port forward rule I kept it exactly as you said.

As far as the IP address all looking like it came from the router, that is true but only for clients that are not respecting the DHCP settings in the first place and have hard coded DNS servers set, so that is an ok compromise. Most clients show up correctly with the above settings because they have their DNS server set to 192.168.1.22 to begin with.

Thanks again for your help!

[Northguy]

Thanks Northguy!
One more question, is there a package/plugin similar to "pi hole" for opnsense?
I saw one called sunnyvalley but not sure if this can take place of phhole or it's an overkill for a basic home usage.

There is DNSBL for Unbound and Sensei from Sunnyvalley. Don't know if they suit your needs, so you need to experiment for yourself.

[ChrisChros]

It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.

Hi,

Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled

Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address

This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.

When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.

Maybe it can be done in an easier way. Open to suggestions.

Do i have to create this outbound rule for all networks separately, LAN and VLAN?

Thanks, Chris

[bitTwiddler]

I would think that would be the case.  Each network has its own set of firewall rules.  I do something similar where I allow users on other networks to use a printer in my LAN.

[gpb]

I did this (similar set-up) but never needed an outbound NAT rule (did I miss something)?  What's the purpose of that the first wouldn't handle? 

Also, I used two NAT Port Forward rules, one for each ipv4 and ipv6...I use ipv4 for both LAN and VLAN (one rule, two interfaces), but have ipv6 disabled on VLAN (IoT network).  So for the ipv6 address on the LAN I use the link local address, if anyone is wondering.  I also allow ping to the pihole from VLAN as several IoT devices seem to like that...otherwise everything else is blocked.

[sanji]

Im also wondering if it is necessary to create an outbound NAT translation. I havent read that in other tutorials.

In which case it would be necessary?