DNS Redirect

[Peter847]

I am looking for help on how to redirect DNS requests to an external server of my choice.

I have a couple of devices that are hard coded to Google DNS servers.  I can catch those requests with a Port Forward and redirect them to 127.0.0.1 and use Unbound to send them to, for example, OpenDNS.  However that means all of my devices now use OpenDNS, I have tried using the external server IP in the Port Forward instead of  127.0.0.1 but it still redirects to Unbound.

I want to use Unbound to service most of my LAN but redirect a couple of devices to a different DNS server.  Any thoughts on how I do that?

[koushun]

Can't you just definert an ALIAS for those hosts that should go to an external / different DNS Server other than your Unbound,  and in the NAT port forward rule add this ALIAS as source, but only as inverted?

koushun

[Peter847]

I do have an alias for those hosts I want to redirect, that catches them and redirects them to loopback which is then picked up by Unbound.  if I invert that alias then don't I let them go to Google DNS and catch everything else?

[koushun]

....

I might have misread. Or misunderstood..

It should not redirect to Unbound after you've hit apply. It should have been redirected to your preffered server. You might have to flush your DNS / do not try a name that is cached? Check drill / nslookup / dig.

Anyhow.
If you invert that alias, those devices will not go to your loopback, correct. They will go to whatever is configured.

You want to have some devices to use a prefferred external DNS? But redirect hardcoded ones? And some devices should use your Unbound resolver.
What about creating more rules and more aliases?

I think you've got this :)

[Peter847]

Just to recap here is what I want to do:

    Default: All devices get their DNS servers through DHCP which points to Opnsense and thereby Unbound. 
    Unbound uses DNS serves of my choice, say Google.

    Selected Devices: Their DNS server is hard coded and needs to be redirected to another DNS server, say
    OpenDNS

As for the cache, always forget to clear it!  I'll try gain and report back.

[Peter847]

Ran another test. 

System DNS servers pointed to Google, port forward pointed to another external DNS server.  Reset the hard coded device and Opnsense, the hard coded device uses Google servers not the one in the port forward.  It looks like the port forward does not work with an external IP address.

Not sure I understand how inverting the alias that catches the hard coded devices works?

[koushun]

This is how I would have redirected any DNS requests not going to my Firewall, but instead redirect those requests to Cloudflare's DNS (1.1.1.1).

Firewall: Aliases. Add a new alias, which is Type: Host(s) and in the Content section, add your IP addresses of the specific devices you would like to point to another DNS than Google's.

Name: ALIAS_HOSTS_DNS_REDIR

Then I would go;
Firewall: NAT: Port Forward and "+Add".

Interface: LAN / VLAN xx
Porto: TCP/UDP
(Source) Address: ALIAS_HOSTS_DNS_REDIR
(Source) Ports: *
(Destination) Address: !This Firewall
(Destination)) Ports: 53 (DNS)
(NAT) IP: 1.1.1.1 (Cloudflare DNS)
(NAT) Ports: 53 (DNS)
Description: Redirect external DNS to Cloudflare DNS

Disable NAT reflection (?).


When I come to think of it, you do not have to bother with creating an ALIAS for these hosts.

This rule above will direct TCP/UDP traffic destined for port 53 NOT (remember, "!") going to ANY of your OPNSense interfaces' IP (This Firewall), to the selected IP address (1.1.1.1) and port (53).

I think this will do what you want?

[Peter847]

I think that is pretty much what I have done.  Here is the rule I have created:

Interface: LAN0
TCP/IP Version: IPv4 + IPv6
Protocol: TCP/UDP
(Source) Address: MyDeviceAlias
(Source) Ports: any
(Destination) Address: !LAN0 address
(Destination)) Ports: 53 (DNS)
(NAT) IP: MyDNSAlias
(NAT) Ports: 53 (DNS)
Description: Redirect external DNS to Cloudflare DNS

Disable NAT reflection (?). Tried both enable & disable.

If I use 127.0.0.1 as the Redirect Target IP and (say) Cloudfare as the system DNS servers all works.  The DNS calls to Google are caught by the port forward and the address returned comes from the system DNS servers.  If I use 1.1.1.1 as the redirect target and Google as the system DNS servers then the address returned comes from Google not Cloudfare.  So it would appear that if the port forward is listening on the LAN, it cannot redirect to and an address on the WAN.  I should add that I have recently switched to  Opnsense from Pfsense.  I had the same issue on Pfsense but did not have to resolve it until now.

[TheChickenMan]

This is how I would have redirected any DNS requests not going to my Firewall, but instead redirect those requests to Cloudflare's DNS (1.1.1.1).

Oh that's a really good idea for something like DNS on a "guest" network. I'd been blocking outbound DNS but this would force all devices to use local DNS without breaking ones which may not be correctly configured.

[TheChickenMan]

So it would appear that if the port forward is listening on the LAN, it cannot redirect to and an address on the WAN.  I should add that I have recently switched to  Opnsense from Pfsense.  I had the same issue on Pfsense but did not have to resolve it until now.

I believe this should be a custom outbound NAT rule instead?

[Peter847]

Ah, yes.  One of the posts in Pfsense said a port forward should work with a external IP but I couldn't do it.  I'll read up on the outbound NAT rules.