IPV6 redirect to unbound DNS bug

[williamjjp]

Hi All,

I think Opnsense is great, so kudos to the devs. I'm am fairly new to it, I found a small inconsistency which I'm pointing out to help others.

When configuring NAT port forward rules to redirect all DNS traffic on port 53 from LAN clients to the DNS unbound local resolver, there is an inconsistency in how the corresponding firewall rules behave between IPv4 and IPv6. For IPv4, the redirect target is the loopback address and invert destination must be enabled on both the NAT port forward rule and its corresponding firewall rule for the redirect to function correctly. For IPv6, where the redirect target is a ULA virtual IP address assigned to an interface, enabling invert destination on the corresponding firewall rule prevents the redirect from working — it should be left unchecked. The NAT rule itself still requires invert destination for both protocols. This inconsistency is not documented and may cause confusion when replicating IPv4 DNS redirect configurations for IPv6.


(I'm aware DNSmasq also allows this redirect function I just prefer having it in firewall rules.)

[falken]

I do not invert destination on v4 or v6 on the DNAT or the firewall rule. I'm not sure why you would need to?
I invert the source on DNAT v4/v6 to exclude the unbound server and other systems that need to be able to communicate to other DNS servers.

[OPNenthu]

I think there's clearly a misconfiguration here, possibly with his IPv6 addressing or interface assignments.  We'd need the setup details to try and spot it.

@falken I prefer to redirect only the non-local requests because if something is trying to reach DNS on an internal address which does not provide DNS on my network, I don't want that to go through.  I want that blocked and logged because it's abnormal.  YMMV.