Author Topic: opnsense block google dns (Read 2913 times)

klausneil · « **on:** May 24, 2016, 12:40:30 am »

Hi, anybody tell me how can i block the use of google dns (example 8.8.8.

and only allow my dns server opnsense 192.168.1.1 because when they (my lan) use the google dns, they surfing my politic.

fabian · « **Reply #1 on:** May 24, 2016, 01:00:35 pm »

I would use a destination NAT to redirect the traffic to your local DNS server.

klausneil · « **Reply #2 on:** May 25, 2016, 05:58:16 am »

Please excuse me my ignorancy but you can tell me how make this? i see NAT (forwarding,1:1,npt,outbound) and also it allows me to masquerading my internal ip when getting out

fabian · « **Reply #3 on:** May 25, 2016, 11:01:47 am »

It works the same way like the rule for the transparent proxy - just a different port https://docs.opnsense.org/manual/how-tos/proxytransparent.html#step-3-nat-firewall-rule

klausneil · « **Reply #4 on:** May 26, 2016, 04:09:44 am »

Hi fabian, i follow the link but tjis not work i can access to internet with 8.8.8.8.8 my rule is this:

Interface              LAN
Protocol              TCP
Source           LAN net
Source port range         any - any
Destination            any
Destination port range      DNS - DNS
Redirect target IP         192.168.10.3
Redirect target port         DNS
Description            Redirect traffic to DNS
NAT reflection            Enable (NAT + Proxy)
Filter rule association      Add associated filter rule

Please help me.

fabian · « **Reply #5 on:** May 26, 2016, 12:22:29 pm »

DNS can use UDP and TCP (usually uses UDP) - sorry - forgot to mention this.

klausneil · « **Reply #6 on:** May 26, 2016, 06:58:58 pm »

Ok fabian but my rule i configure with TCP/UDP but nothig, why is this or i can see in the log?

fabian · « **Reply #7 on:** May 26, 2016, 10:25:13 pm »

It should work - did you check it using the packet capture on the wan interface of OPNsense?

klausneil · « **Reply #8 on:** May 27, 2016, 12:29:11 am »

No,. i dont have a packet capture on my wan, how i can active this options.

bartjsmit · « **Reply #9 on:** May 27, 2016, 08:24:45 am »

You do :-)

Run tcpdump from the OPNsense command line and capture the WAN traffic to a file. Copy the output file to your workstation and open it in Wireshark for analysis.

Bart...

franco · « **Reply #10 on:** May 27, 2016, 10:55:03 am »

There's also a GUI for this under Interfaces: Diagnostics: Packet Capture (or similar, I have the German GUI enabled at this time).

klausneil · « **Reply #11 on:** May 27, 2016, 09:33:14 pm »

i see that when i try access google.com this pass to my dns server (192.16810.3)

Capture output
14:19:33.886357 IP 192.168.15.63.57064 > 192.168.10.3.53: UDP, length 33
14:19:33.887117 IP 192.168.10.3.53 > 192.168.15.63.57064: UDP, length 409
14:19:34.126850 IP 192.168.10.3.53 > 192.168.15.12.33918: UDP, length 76

But when change my network configuration in windows xp and my dns is 8.8.8.8 i see this

14:31:32.504219 IP 192.168.15.29.1084 > 8.8.8.8.53: UDP, length 28
14:31:32.537415 IP 8.8.8.8.53 > 192.168.15.29.1084: UDP, length 404
14:31:32.698034 IP 192.168.15.29.1084 > 8.8.8.8.53: UDP, length 35

But my rule firewall not work because not redirect all trafic 53 to 192.168.10.3

Author Topic: opnsense block google dns (Read 2913 times)

klausneil

opnsense block google dns

fabian

Re: opnsense block google dns

klausneil

Re: opnsense block google dns

fabian

Re: opnsense block google dns

klausneil

Re: opnsense block google dns

fabian

Re: opnsense block google dns

klausneil

Re: opnsense block google dns

fabian

Re: opnsense block google dns

klausneil

Re: opnsense block google dns

bartjsmit

Re: opnsense block google dns

franco

Re: opnsense block google dns

klausneil

Re: opnsense block google dns