Force redirect DNS to pihole

[Xelas]

LAN is: 172.16.1.1/24
pihole is at 172.16.1.5
opnsense unbound is obviously at 172.16.1.1

I'm trying to redirect all DNS traffic to the pihole. pihole should then go to 172.16.1.1 (to allow local dns resolution to work) then the router goes out to 8.8.8.8 or whatever.

First, I created a "quick" rule to allow the pihole to query the router (and only it should be allowed to query the router) and it's sitting as the first rule
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: 172.16.1.5/32
Source port range: DNS
Destination / Invert: unchecked
Destination: This Firewall
Destination Port: DNS

Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable

This isn't working, as I can change the DNS setting manually on a PC on the LAN and happily bypass the firewall.

What am I missing?

[sorano]

What am I missing?

Knowledge?

  I would say that you need a block/reject rule for DNS ports to all destinations except 172.16.1.5

[nines]

What am I missing?

Knowledge?

  I would say that you need a block/reject rule for DNS ports to all destinations except 172.16.1.5

no, because its blocked by default.

@Xelas, you need a source nat rule too, otherwise your "routing" will be asynchronous. Just rewrite to the opnsense internal ip and you should be fine. You also need to take care that the actual dns (pihole) should still be able to access everything via udp/53

[sorano]

What am I missing?

  I would say that you need a block/reject rule for DNS ports to all destinations except 172.16.1.5

no, because its blocked by default.

Lol, dumbest reply I've read today. 

Do you have secret access to his firewall rules @nines ? Or are you just making dumb assumptions?

Obviously he has something that allows outbound external DNS otherwise he would not be writing:

This isn't working, as I can change the DNS setting manually on a PC on the LAN and happily bypass the firewall.

[AdSchellevis]

@sorano please try to keep this civilised, not everybody has the same background, we welcome everybody to join a discussion as long as people are treated respectfully.

[gpb]

LAN is: 172.16.1.1/24
pihole is at 172.16.1.5
opnsense unbound is obviously at 172.16.1.1

I'm trying to redirect all DNS traffic to the pihole. pihole should then go to 172.16.1.1 (to allow local dns resolution to work) then the router goes out to 8.8.8.8 or whatever.

Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable

This isn't working, as I can change the DNS setting manually on a PC on the LAN and happily bypass the firewall.

What am I missing?

Source port should be ANY, not DNS (destination is DNS).  You'll also need a second rule for ipv6 if you're using ipv6.  For ipv6, use the link-local address on the pihole as that won't change.  Not sure you need that first rule.

EDIT: did you include pihole's ip address in your DHCP settings so hosts know where to go?

[seed]

I did not test this, but this thread might be related:

HOWTO - Redirect all DNS Requests to Opnsense
https://forum.opnsense.org/index.php?topic=9245.0

[Koldnitz]

This guy’s guide worked for me and several others I believe.

https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/

Cheers,

[AhnHEL]

Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable

I think for SOURCE you would want LAN NET not LAN Address.  But I find that if you do that then the PiHOLE itself will be included in the Port Forward and cause DNS to fail.  So I used the Invert feature and setup my Port Forward like this

INT      PROTO         SOURCE      PORT    DESTINATION       PORT              NAT IP           NAT PORT

LAN    TCP/UDP     !172.16.1.5    ANY       !172.16.1.5       53(DNS)        172.16.1.5        53(DNS)

[Xelas]

This guy’s guide worked for me and several others I believe.

https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/

Cheers,

To be clear, and did not note this in my OP, I am publishing the pihole's IP as the DNS address in DHCP. Well-behaved clients that respect DHCP go to the pihole. I looked at the logs and found that some devices were ignoring that and using their own DNS anyway, so what I'm trying to do is to intercept those DNS requests and route them through the pihole. I completely understand that this is futile as a security measure - I'm interested in:
1) tracking which devices are doing this
2) whacking a few more ads out of the way

[Xelas]

...
Source port should be ANY, not DNS (destination is DNS).  You'll also need a second rule for ipv6 if you're using ipv6.  For ipv6, use the link-local address on the pihole as that won't change.  Not sure you need that first rule.

Why would the source port be "any"? Won't that have the effect of routing all traffic on all ports to the pihole on port 53?

Frontier FIOS doesn't have IPV6, so I'm not worrying about that yet. I have IPV6 turned off for now.

[Xelas]

Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable

I think for SOURCE you would want LAN NET not LAN Address.  But I find that if you do that then the PiHOLE itself will be included in the Port Forward and cause DNS to fail.  So I used the Invert feature and setup my Port Forward like this

INT      PROTO         SOURCE      PORT    DESTINATION       PORT              NAT IP           NAT PORT

LAN    TCP/UDP     !172.16.1.5    ANY       !172.16.1.5       53(DNS)        172.16.1.5        53(DNS)

That rule makes a ton of sense, thank you! It also looks like it eliminates needing to have another rule ahead of it to handle the pihole as a special case, so it kills 2 birds with 2 stone. Elegant.
I'll give this a shot tonight or tomorrow night after my family shuts down. Don't want to clobber precious Netflix time :-)

[AhnHEL]

That rule makes a ton of sense, thank you! It also looks like it eliminates needing to have another rule ahead of it to handle the pihole as a special case, so it kills 2 birds with 2 stone. Elegant.
I'll give this a shot tonight or tomorrow night after my family shuts down. Don't want to clobber precious Netflix time :-)

Was playing around with this some more tonight thanks to your post and I was still locking myself out of DNS if I attempted to use an External DNS like 8.8.8.8.  Not sure if this applies to your setup but it seems to require some extra configuration for mine because I'm using Unbound with DNS over TLS as the Upstream Server to the PiHOLE.  Anyway, truly figured it out now,

1. Go to Firewall/Settings/Advanced:  Enable Automatic outbound NAT for Reflection
2. Go to Firewall/NAT/Port Forward and setup rule like below.

           INT      PROTO         SOURCE      PORT    DESTINATION       PORT              NAT IP           NAT PORT

 <->    LAN    TCP/UDP          ANY          ANY    !LAN ADDRESS     53(DNS)        (PIHOLE IP)        53(DNS)
                                                                                                                     172.16.1.5

Be sure to create the Associated Filter Rule with the above Port Forward and place it at the top of your LAN Rules.

3.  Go to Firewall/Rules/LAN and create a firewall rule to PASS from your PiHole to the LAN ADDRESS on port 53 and place it below the above Associated Filter Rule.

        PROTO        SOURCE      PORT    DESTINATION       PORT

>    TCP/UDP      PIHOLE IP     ANY     LAN ADDRESS     53(DNS)

4.  Create a BLOCK rule now for External DNS after the above rule.  If the Port Forward is working, this rule should never hit so enable logging on it so you can see if there are issues.

      PROTO         SOURCE      PORT    DESTINATION       PORT

X   TCP/UDP         ANY          ANY            ANY             53(DNS)


Hope this helps you and/or anyone else using PiHOLE with Unbound DNS over TLS.

[mayo]

Goodmorning everybody,
I'm also interested in how to configure Opnsense/Pi-Hole in the best way for home network. I've tried to configure it but I have a lot of PTR request in Pi-hole interface that is not resolving names...
Thank you so much!

[guest25283]

I have actually tinkered with this myself recently, and ultimately implemented the following, which turns out to be working very well.

My objective was also to catch and redirect all DNS queries towards pi-hole, which in return uses OPNsense as Unbound DNS resolver.

Course of action:
First, I created a new VLAN dedicated for my pi-hole. This is not required, but I decided to do so because of security considerations. The VLAN is firewalled, is not allowed to pass traffic to any other VLAN, and is only allowed to use TCP/UDP 53 outbound to ANY (as I am querying the root servers directly using Unbound) for DNS, and using HTTP/HTTPS to connect to the internet, to fetch updates.

Then I installed pi-hole, and selected the interface IP of the pi-hole VLAN as upstream DNS server.
That way, pi-hole will filter ads, but uses Unbound on OPNsense to do the actual lookup.
You could also install Unbound on the pi-hole itself and offload everything there, but I decided not to do so.
I then fine-tuned everything to my needs (blocklists, black/whitelisting, etc.), and considered that part done.

Next, I wanted to be sure that all DNS queries are sent to the pi-hole, for my VLANs I have setup.
For that, I used a NAT Port Forward rule, which is configured as follows: https://imgur.com/NzJUFPG

Details of this rule are:
- Interface - select your required interfaces to which this rule applies
- TCP/IP version - IPv4
- Protocol - TCP/UDP
- Source - do not select
- Destination/Invert - do not check
- Destination - Any
- Destination port range - DNS
- Redirect target IP - Your pi-hole IP address (I created an alias for it)
- Redirect target port - DNS
- Pool Options: Default
- Description - Redirect and pass DNS
- NAT reflection - Disable
- Filter rule association - Pass (I decided to choose pass, as this will reduce the amount of separate pass rules you need to create per interface)

I have also created an identical second rule, that is disabled, with the only difference that it contains the local loopback (127.0.0.1) address as Redirect Target IP, which is the firewall itself. This is a method of last resort, in case the pi-hole breaks down, or is unavailable for whatever reason.
I simply switch on this NAT rule and disable the other one, and remain up and running.
You need to be aware though that in case this is applied, advertisements are no longer blocked, unless you utilize the Unbound built-in blacklisting capabilities (Services > Unbound DNS > Blacklist). For peace of mind you could simply enable a fallback blacklist there, but I didn't care at this point in time. Perhaps some point of improvement towards the future .

Last, but not least, let's test this out in practice, by going to https://dnsleaktest.com/. If all goes well, and you have applied the setup like I have depicted, you will see the WAN IP of your ISP there. If you have selected different DNS upstream servers, you will see these appearing here. Simply change the DNS server on one of your LAN devices, and run the test again to see if the redirection works.

I hope this is helpful to others!