English Forums > Tutorials and FAQs

Redirecting all DNS Requests to Opnsense

<< < (2/2)

fabian:
redirect works with a port forward rule.
port 53 UDP/TCP to not this firewll -> IP_OF_THE_FIREWALL port 53
add a pass rule to allow TCP/UDP 53 to this IP if not generated automatically

restriction:
pass tcp/udp 53 to "this firewall"
block tcp/udp 53 # note that this is usually not needed as there is a default block.

spidysense:
Under: Firewall-->Rules-->LAN tab:

Rule 1 for DNS
http://imgur.com/a/t5uiZ

Rule 2 Block outbound LAN DNS queries
http://imgur.com/a/4pCKQ

va176thunderbolt:
I've run into some issues where this causes problems, specifically with Android phones. They seem to be determined to try the Google DNS servers before falling back to the locally assigned DNS servers from DHCP.

I help manage the IT around for a church, and we provide free Wifi to those would like to use it. We use OpenDNS to make sure that users don't stray from appropriate content for the setting.

So to help in this, I configured Unbound to run locally, forwarding it's request to OpenDNS. DHCP assigns the firewall as DNS server via the appropriate DHCP option. Firewall rules allow access to the firewall on port 53. I then added a NAT on the LAN interface to redirect all port 53 traffic (not destined for the firewall itself) to localhost port 53 on the firewall. This way, if a device tries to send DNS to something other than the firewall, the firewall sends it to unbound, and unbound responds after getting a response from OpenDNS.

I did the same with NTP traffic - block access to everything but the firewall, then setup a nat to redirect everything to localhost on the firewall.

Hope this helps others.

Adam

Ciprian:
I believe the most appropriate way of doing a DNS redirection to OPNsense is as in the attached image - this way, the redirection takes place only for external DNS requests, not messing with multiple internal sites/ network segments/ DNS servers dynamic resolution.

So you would permit, from the OPNsense point of view, even a ping-pong/ infinite loop of DNS requests in between internal DNS servers/ forwarders, all these requests being forwarded by OPNsense without any restriction or redirection (working as intended) but once a particular DNS request is made to any external DNS server, the Redirect to Self rule will do its magic.  ;)

PS Very important:
1. The rule should have "NAT reflection" = Disable! (!) (The default setting is "Use system default" - change it to "Disable"!)
2. Permit creation of filter/ FW association rule.

va176thunderbolt:
hutiucip - thankjs! That's what I have in place, but explained poorly :)

Navigation

[0] Message Index

[*] Previous page