Redirecting all DNS Requests to Opnsense

[spidysense]

I know there are instructions on how to do this on PFsense:
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

But if someone has already done this on their Opnsense box, please post a screen capture of it or the exact configuration of yours as it is laid out in Opnsense.

Thanks!

[phoenix]

Your title states "Redirecting all DNS Requests to Opnsense", that isn't what's shown in the link you've posted. Despite the title of that article it states in the body that the aim is "To restrict client DNS to only the specific servers configured on a firewall," and unless I'm misunderstanding it you will still need your LAN computers to have a valid DNS entry in the resolv.conf of those clients pointing to the firewall DNS server. If that's not what it's saying then I'm sure someone will put me right.

DNS servers are either allocated via DHCP or manually with a fixed IP of the DNS server that's being used. I much prefer to run caching DNS servers on the LAN itself and let the firewall do what it's good at.

[spidysense]

Redirecting all DNS Requests to PFsense is the name of the subject of the post in the url. It is pretty clear  to me it is about restricting all devices behind PFsense from using anything other than the prescribed DNS entries on the PFsense box. So in other words, Redirecting all DNS requests to PFsense. I just would like to see how it is done on OPNsense...

To restrict client DNS to only the specific servers configured on a firewall, a port forward may be used to capture all DNS requests sent to other servers.

[phoenix]

The tile and the contents of the article are ambiguous, to me they state two different objectives. I don't disagree that the aim is to use the DNS server configured on the firewall but 'redirecting' and 'restricting' are two different things. My aim was to point out the differences and try to get you to answer what you're trying to achieve, it seems I've failed miserably.

Why can't you configure those setting in OPNsense, have you tried and if you can't do it what's missing or wrong?

[spidysense]

For anyone looking for the answer to this, I found it:
https://www.kirkg.us/posts/using-opendns-with-opnsense/
 

Particularly:
Rule#3 (Restricting other DNS on the Lan and redirecting it use OPNsense configured DNS)
If someone is trying to get around your OpenDNS filtering, and has changed their computer's DNS settings to use a public DNS server they will get denied.

[fabian]

redirect works with a port forward rule.
port 53 UDP/TCP to not this firewll -> IP_OF_THE_FIREWALL port 53
add a pass rule to allow TCP/UDP 53 to this IP if not generated automatically

restriction:
pass tcp/udp 53 to "this firewall"
block tcp/udp 53 # note that this is usually not needed as there is a default block.

[spidysense]

Under: Firewall-->Rules-->LAN tab:

Rule 1 for DNS
http://imgur.com/a/t5uiZ

Rule 2 Block outbound LAN DNS queries
http://imgur.com/a/4pCKQ

[va176thunderbolt]

I've run into some issues where this causes problems, specifically with Android phones. They seem to be determined to try the Google DNS servers before falling back to the locally assigned DNS servers from DHCP.

I help manage the IT around for a church, and we provide free Wifi to those would like to use it. We use OpenDNS to make sure that users don't stray from appropriate content for the setting.

So to help in this, I configured Unbound to run locally, forwarding it's request to OpenDNS. DHCP assigns the firewall as DNS server via the appropriate DHCP option. Firewall rules allow access to the firewall on port 53. I then added a NAT on the LAN interface to redirect all port 53 traffic (not destined for the firewall itself) to localhost port 53 on the firewall. This way, if a device tries to send DNS to something other than the firewall, the firewall sends it to unbound, and unbound responds after getting a response from OpenDNS.

I did the same with NTP traffic - block access to everything but the firewall, then setup a nat to redirect everything to localhost on the firewall.

Hope this helps others.

Adam

[Ciprian]

I believe the most appropriate way of doing a DNS redirection to OPNsense is as in the attached image - this way, the redirection takes place only for external DNS requests, not messing with multiple internal sites/ network segments/ DNS servers dynamic resolution.

So you would permit, from the OPNsense point of view, even a ping-pong/ infinite loop of DNS requests in between internal DNS servers/ forwarders, all these requests being forwarded by OPNsense without any restriction or redirection (working as intended) but once a particular DNS request is made to any external DNS server, the Redirect to Self rule will do its magic. 

PS Very important:
1. The rule should have "NAT reflection" = Disable! (!) (The default setting is "Use system default" - change it to "Disable"!)
2. Permit creation of filter/ FW association rule.

[va176thunderbolt]

hutiucip - thankjs! That's what I have in place, but explained poorly