[Solved] Redirected DNS to local DNS Servers unable to resolve

[Manual6938]

I have a similar rule as described here to redirect any DNS request from my network to local DNS servers. : https://forum.opnsense.org/index.php?topic=9245.0

However this only works properly when the DNS is redirected to the gateway itself or to an external DNS server. If I provide an internal IP for my local DNS server, all of the DNS requests fail to resolve. In the DNS server log, it sees the requests and shows that it has responded, but the connection times out at the client side and it never resolves.

I tried both an Unbound DNS server and a Pi Hole, and both have the same behavior. If the client sets the local DNS manually and the firewall rule is disabled, the connection is fine, so it's definitely something with this redirection that is breaking it.

Is there any additional rule I would need to create?

[doktornotor]

Read this: https://forum.opnsense.org/index.php?topic=9245.msg177409#msg177409 (and kindly skip the incorrect "DNS does not use TCP" "simplification" part).

[Manual6938]

Looks like the rule I have set up should be the same as described here. I have attached a picture of my rule along with what happens. I am directing all TCP/UDP requests on port 53 to my local DNS server (which is on 192.168.2.12). If I change this IP to anything external or to my opnsense address, the dns resolves properly. But once I set it to a DNS server which is locally on my network but not at the opnsense address, I see timeouts on the client side.



The requests definitely still get routed to my local dns server, and show up in the logs, but the client never receives the response from the dns server. There is definitely not a firewall block because the dns server can be used if configured manually.

[doktornotor]

See https://labzilla.io/blog/force-dns-pihole

(And disable NAT reflection if enabled, it does weird and broken things in background.)

[Manual6938]

Thank you very much, I needed Rule 3 from this link. It wasn't clear in any logs that I was getting unexpected source errors.

[doktornotor]

Glad that it's resolved.

[Manual6938]

Glad that it's resolved.

Only issue is that with this rule, all dns requests are showing as coming from the opnsense gateway ip. If I choose the "Do not NAT" option on the rule, I see the real IPs again but end up with the same problem. Should I be able to see the real client ip on the dns server?

[Patrick M. Hausen]

Nope. You could point the clients directly at the DNS server via DHCP and keep the redirect rule for misbehaving ones.

[Manual6938]

This seems like the best option cheers. Have a couple clients I want to send to different local DNS servers but looks like I can set that in the static DHCP mapping.

[CJ]

Personally I prefer to just block the DNS and DoT ports since I provide a DNS server via DHCP.  It makes for a simplier setup and easier troubleshooting IMO.

Now if only NTP worked as well.

[rickygm]

I have this same scenario, but I can't get it to work.

https://labzilla.io/blog/force-dns-pihole
Steps two and 3 of this manual do not apply to the latest version of opnsense