Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Redirecting all DNS Requests to Opnsense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Redirecting all DNS Requests to Opnsense (Read 22932 times)
spidysense
Newbie
Posts: 22
Karma: 1
Redirecting all DNS Requests to Opnsense
«
on:
July 28, 2017, 02:49:33 pm »
I know there are instructions on how to do this on PFsense:
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
But if someone has already done this on their Opnsense box, please post a screen capture of it or the exact configuration of yours as it is laid out in Opnsense.
Thanks!
Logged
phoenix
Hero Member
Posts: 545
Karma: 58
Re: Redirecting all DNS Requests to Opnsense
«
Reply #1 on:
July 28, 2017, 03:24:54 pm »
Your title states "Redirecting all DNS Requests to Opnsense", that isn't what's shown in the link you've posted. Despite the title of that article it states in the body that the aim is "To restrict client DNS to only the specific servers configured on a firewall," and unless I'm misunderstanding it you will still need your LAN computers to have a valid DNS entry in the resolv.conf of those clients pointing to the firewall DNS server. If that's not what it's saying then I'm sure someone will put me right.
DNS servers are either allocated via DHCP or manually with a fixed IP of the DNS server that's being used. I much prefer to run caching DNS servers on the LAN itself and let the firewall do what it's good at.
Logged
Regards
Bill
spidysense
Newbie
Posts: 22
Karma: 1
Re: Redirecting all DNS Requests to Opnsense
«
Reply #2 on:
July 28, 2017, 03:38:54 pm »
Redirecting all DNS Requests to PFsense
is the name of the subject of the post in the url. It is pretty clear to me it is about restricting all devices behind PFsense from using anything other than the prescribed DNS entries on the PFsense box. So in other words, Redirecting all DNS requests to PFsense. I just would like to see how it is done on OPNsense...
To restrict client DNS to only the specific servers configured on a firewall, a port forward may be used to capture all DNS requests sent to other servers.
«
Last Edit: July 28, 2017, 03:40:48 pm by spidysense
»
Logged
phoenix
Hero Member
Posts: 545
Karma: 58
Re: Redirecting all DNS Requests to Opnsense
«
Reply #3 on:
July 28, 2017, 03:51:49 pm »
The tile and the contents of the article are ambiguous, to me they state two different objectives. I don't disagree that the aim is to use the DNS server configured on the firewall but 'redirecting' and 'restricting' are two different things. My aim was to point out the differences and try to get you to answer what you're trying to achieve, it seems I've failed miserably.
Why can't you configure those setting in OPNsense, have you tried and if you can't do it what's missing or wrong?
Logged
Regards
Bill
spidysense
Newbie
Posts: 22
Karma: 1
Re: Redirecting all DNS Requests to Opnsense
«
Reply #4 on:
July 28, 2017, 10:41:20 pm »
For anyone looking for the answer to this, I found it:
https://www.kirkg.us/posts/using-opendns-with-opnsense/
Particularly:
Rule#3 (Restricting other DNS on the Lan and redirecting it use OPNsense configured DNS)
If someone is trying to get around your OpenDNS filtering, and has changed their computer's DNS settings to use a public DNS server they will get denied.
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Redirecting all DNS Requests to Opnsense
«
Reply #5 on:
July 29, 2017, 10:56:03 am »
redirect works with a port forward rule.
port 53 UDP/TCP to not this firewll -> IP_OF_THE_FIREWALL port 53
add a pass rule to allow TCP/UDP 53 to this IP if not generated automatically
restriction:
pass tcp/udp 53 to "this firewall"
block tcp/udp 53 # note that this is usually not needed as there is a default block.
Logged
spidysense
Newbie
Posts: 22
Karma: 1
Re: Redirecting all DNS Requests to Opnsense
«
Reply #6 on:
July 30, 2017, 01:46:32 pm »
Under: Firewall-->Rules-->LAN tab:
Rule 1 for DNS
http://imgur.com/a/t5uiZ
Rule 2 Block outbound LAN DNS queries
http://imgur.com/a/4pCKQ
Logged
va176thunderbolt
Newbie
Posts: 49
Karma: 4
Nothing is more permanent than a temp solution
Re: Redirecting all DNS Requests to Opnsense
«
Reply #7 on:
August 16, 2017, 02:11:41 pm »
I've run into some issues where this causes problems, specifically with Android phones. They seem to be determined to try the Google DNS servers before falling back to the locally assigned DNS servers from DHCP.
I help manage the IT around for a church, and we provide free Wifi to those would like to use it. We use OpenDNS to make sure that users don't stray from appropriate content for the setting.
So to help in this, I configured Unbound to run locally, forwarding it's request to OpenDNS. DHCP assigns the firewall as DNS server via the appropriate DHCP option. Firewall rules allow access to the firewall on port 53. I then added a NAT on the LAN interface to redirect all port 53 traffic (not destined for the firewall itself) to localhost port 53 on the firewall. This way, if a device tries to send DNS to something other than the firewall, the firewall sends it to unbound, and unbound responds after getting a response from OpenDNS.
I did the same with NTP traffic - block access to everything but the firewall, then setup a nat to redirect everything to localhost on the firewall.
Hope this helps others.
Adam
Logged
AMD Ryzen 3 1200
GA-A320M-S2H
8GB DDR4
Intel X550-T2 10GB
32GB Industrial SSD
Shuttle SZ270R8
Intel i5-6500
8gb ram
120gb ssd
Intel x540-t2 10gb nic
Ciprian
Sr. Member
Posts: 284
Karma: 50
Re: Redirecting all DNS Requests to Opnsense
«
Reply #8 on:
August 17, 2017, 01:53:43 pm »
I believe the most appropriate way of doing a DNS redirection to OPNsense is as in the attached image - this way, the redirection takes place only for external DNS requests, not messing with multiple internal sites/ network segments/ DNS servers dynamic resolution.
So you would permit, from the OPNsense point of view, even a ping-pong/ infinite loop of DNS requests in between internal DNS servers/ forwarders, all these requests being forwarded by OPNsense without any restriction or redirection (working as intended) but once a particular DNS request is made to any external DNS server, the Redirect to Self rule will do its magic.
PS Very important:
1. The rule should have "NAT reflection" = Disable! (!) (The default setting is "Use system default" - change it to "Disable"!)
2. Permit creation of filter/ FW association rule.
Logged
va176thunderbolt
Newbie
Posts: 49
Karma: 4
Nothing is more permanent than a temp solution
Re: Redirecting all DNS Requests to Opnsense
«
Reply #9 on:
August 17, 2017, 06:47:11 pm »
hutiucip - thankjs! That's what I have in place, but explained poorly
Logged
AMD Ryzen 3 1200
GA-A320M-S2H
8GB DDR4
Intel X550-T2 10GB
32GB Industrial SSD
Shuttle SZ270R8
Intel i5-6500
8gb ram
120gb ssd
Intel x540-t2 10gb nic
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Redirecting all DNS Requests to Opnsense