HOWTO - Redirect all DNS Requests to Opnsense

[hushcoden]

Can someone please clarify if the 'source port range' must be set on DNS or any and why?

Tia.

[Patrick M. Hausen]

Source port range for DNS lookups is "any". A client may pick any random port, usually one >= 1024.

[August8828]

Would it also be advised to create a blockrule for port 53 dns when using dot or is enabling the redirect rule enough?

[9axqe]

I did a redirect, just in case there’s some badly configured device on the network with static DNS server IP.

[Lakkiada]

The source port is randomly selected by the client, leave as any. Theoretically, the redirect rule "should" catch everything. I, however, also have block rules for port 53, 853, 5353 and 9953 - just in case - Zero Trust. Do be sure the redirect rule is above the block rules.

I also block DNS on the WAN if source is !WAN address on port 853 (also block all other 53,853,5353,9953). This effectively limits all DNS to my selected DNS over TLS servers.

[August8828]

How do I redirect ipv6 dns queries? Redirecting it to ::1?

[9axqe]

That's what I'm doing, yes.

[vicking]

I tried the different methods from this thread to redirect everything to my pihole with cloudflare upstream dns.

When I change the DNS server of my computer to 8.8.8.8 and go to https://www.dnsleaktest.com/ and start a test, it then shows a bunch of google servers, so it doesn't seem to work. Or is my understanding wrong?

In another thread (https://forum.opnsense.org/index.php?topic=15472.0) it is mentioned to create an outbound NAT translation. I haven't read that anywhere else. So is this needed?

Wondering this same question. Followed the guide but when I change my DNS server on my Iphone to 8.8.8.8 and run a dnsleaktest I can see the Google servers where I had expected my local unbound service?

[9axqe]

What does your server use in terms of DNS protocol? HTTPS, QUIC, TLS...?

If it's using DNS over HTTPs for example, you're going to have to block 8.8.8.8:443 (both UDP and TCP).

If you want to go down that route, there are lists of public DNS over HTTPS/TLS providers, such as https://public-dns.info/nameservers.txt, which you then need to configure as FW aliases.

For DNS over TLS or QUIC it's simpler, you simply block anything to port 853 or 8853 (no point in redirecting, the certificate would not match).

[vicking]

I tried the different methods from this thread to redirect everything to my pihole with cloudflare upstream dns.

When I change the DNS server of my computer to 8.8.8.8 and go to https://www.dnsleaktest.com/ and start a test, it then shows a bunch of google servers, so it doesn't seem to work. Or is my understanding wrong?

In another thread (https://forum.opnsense.org/index.php?topic=15472.0) it is mentioned to create an outbound NAT translation. I haven't read that anywhere else. So is this needed?

Wondering this same question. Followed the guide but when I change my DNS server on my Iphone to 8.8.8.8 and run a dnsleaktest I can see the Google servers where I had expected my local unbound service?

All working now.. after setting it up again! Even when using 8.8.8.8 I can see the dns used is my local DNS service!