[Solved] Enforcing DNS through OPNsense - NAT redirect issue and fix

Started by TarteTatin, Today at 11:03:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 11:03:21 AM Last Edit: Today at 07:09:19 PM by TarteTatin Reason: Add solved to the title
Hi,

I set up DNS enforcement on my OPNsense home network to force all devices through my local Unbound resolver (with blocklists), regardless of their configured DNS server.

Setup:
  • LAN firewall rules: pass DNS to OPNsense, block DNS to anywhere else, block DoT (port 853)
  • Destination NAT rule redirecting all port 53 traffic to OPNsense (self)

Problem:
Computers, VMs and Docker containers already using OPNsense as their DNS server started experiencing intermittent timeouts. The NAT redirect was intercepting their queries (already correctly destined for OPNsense) and creating a redirect loop.

Fix:
Added a "no redirect" NAT rule, matching DNS traffic already destined for OPNsense, before the destination NAT rule redirecting all port 53 traffic to OPNsense.

Final NAT order:
  • No redirection for DNS already targeting OPNsense
  • Redirect everything else to OPNsense
Today at 02:40:50 PM #1
How did/does your re-direct rule look like exactly ?

My guess is you have been filtering ALL DNS TRAFFIC instead of just DNS traffic that isn't going to OPNsense ?
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 07:08:22 PM #2
Hey nero355,

You're right, I did not see the "invert destination" option. Now I did check it and specified my firewall.

Thanks to you, I had a better look at it!
Print
Go Up Pages1
User actions