Outbound Nat Rewrite - how to monitor in logs?

[allebone]

Hello,

I have an outbound NAT rewrite rule that captures devices that ignore DNS and forces them to go via my internal pihole. For example if a client such as my Roku TV attempts to connect to 8.8.8.8 on port 53 this is captured and sent correctly internal to my pihole.

See figure 1:

My issue is the logs do not tell me what ip this device attempted to access externally. I would like to know how to capture this information. Eg: I can see that 192.168.2.51 tried to access an IP on port 53 as the rewrite rule kicked in. But would like to know what that IP is (ie was it 8.8.8.8 or some other Ip etc).

How can I know this?

Here is the rewrite rule:

Here is the LAN FW rule:


Thanks in advance :)

Pete

[allebone]

Does nobody know the answer to this question? I can log a ticket on github if its an unknown question?

Kind regards
Pete

[astuckey]

Sorry if this is obtuse (me not understanding fully) - would it not be easier to use a block policy for all DNS with logging enabled, and whitelist the correct servers (also logged)?  Or if you must let the traffic pass log everything DNS with a inverted destination maybe of not your good DNS servers (via alias) or something similar.  NAT seems to be complicating it a bit from what I can tell.

[allebone]

I must be honest. I also dont fully understand what you are telling me.

My desire (and why I set it up like this) is to silently capture devices on the network that try use other dns servers and reroute them to my internal dns server without them knowing (ie blocking them).

This is working as intended but I cant see what external dns servers they are trying to query.

Sorry if you explained how to do this. I didnt fully understand your comment.

Pete

[FullyBorked]

I must be honest. I also dont fully understand what you are telling me.

My desire (and why I set it up like this) is to silently capture devices on the network that try use other dns servers and reroute them to my internal dns server without them knowing (ie blocking them).

This is working as intended but I cant see what external dns servers they are trying to query.

Sorry if you explained how to do this. I didnt fully understand your comment.

Pete

I'm doing the same NAT redirect to my DNS server.  I can confirm as well even with logging enabled on that NAT rule I do not see logs for the rewrite either.  At least not in the live view. 

Also check this post out https://forum.opnsense.org/index.php?topic=20149.0 

[Meditux]

Sorry, can be deleted

Greeting Meditux

[FullyBorked]

Hi guys,

I do the same, however the redirects show up in the livelog for me.

Greeting Meditux

I can see the resulting rewrite as well but I think what the OP looking for is an entry like

Code Select Expand

NAT - <Orig> Dest 8.8.8.8:53 > <New> Dest 192.168.1.1:53 to see the original destination. 

[allebone]

Yes exactly there is no log showing the destination the client tried to access like to 8.8.8.8 as you say in your example.

[allebone]

I am still looking for a solution to this problem if anyone is aware of one :)

[Greelan]

I suspect the code to log the original destination IP for the NAT rule is just not there.

A workaround perhaps is to have a specific firewall rule for the source IPs that are being rewritten on the DNS port and log that.

[allebone]

Do you mean the workaround is to log this on the DNS server and not the opnsense firewall?

[Greelan]

No, I meant to create a firewall (filter) rule on the relevant OPNsense interface for the source IPs (eg LAN if they are in the LAN subnet), destination port 53, and then have logging on for that. Put that rule above any general pass rule (such as the default allow LAN to any rule). So the incoming DNS requests will hit that and be logged before they even reach the NAT rule

[allebone]

I dont know how to do this. How do I create a firewall rule that does not block or pass the packets, so that the rewrite rule can take effect after the logging? If I make a rule the only options are "pass" "block" or "reject" I do not wish to block the packet or reject it. I also dont want to pass it (Ie allow it out). I want it to be captured and rewritten.

[Greelan]

?

You do want to pass the packets on the internal interface, otherwise they will be dropped by OPNsense and there will be no DNS resolution, with or without a NAT rule

[allebone]

The rule that is there allows only the packet to pass to the internal DNS server. The packet is already rewritten by the time it gets to that rule. There is not an allow rule that allows the LAN client out to anywhere on 53 as this would be undesirable. I dont know how to implement what you are suggesting.