HOWTO - Redirect all DNS Requests to Opnsense

[Mks]

Hi, many thanks for this HowTo, works flawlessly for me.
Would it be possible to add a similar Redirect rule for NTP service port 123 so that Opnsense NTP server will only be used?

Yes, its basically the same.

br

[ChrisChros]

I use a Port Forward rule to forward all NTP traffic, which is not coming from the firewall, to my OPNsense.
The interface local_Networks is an alias for all my lan and vlan, so I need only one rule.

[hushcoden]

I found this article https://www.derekseaman.com/2021/04/how-to-redirect-hardcoded-dns-to-opnsense.html and it's slightly different as it also considers the source address, why is that and which solution is better?

Tia.

[hushcoden]

I'd really like to understand what the difference in using as source address 'any' vs !firewall_ip_address ?!?

Tia.

[tiermutter]

"!firewall_ip" as source takes care (or should to) that the firewall itself can use any DNS servers without being redirected to itself. I think this is superfluous as the rule is placed on LAN interface and the firewall itself will never hit the rule for outgoing DNS requests. However, without specifying the source everything works fine and the firewall itself is able to make necessary requests to DNS servers in WAN.

[hushcoden]

One more question: is it possible for just a device on the LAN being able to use custom DNS servers ?

Tia.

[RamSense]

When configure that device with static ip and then add the dns you like in the " DNS servers" field. Have not tried that myself while I use adguard home for all devices / dns.

[tiermutter]

A few months later....

In the past I excluded my wifes smartphone (IP by alias) from being redirected because she didnt want to use (ad-)filtered DNS servers. Just edit the forward rule and add the IP/alias negated ( ! ) to the source.

[hushcoden]

In the past I excluded my wifes smartphone (IP by alias) from being redirected because she didnt want to use (ad-)filtered DNS servers. Just edit the forward rule and add the IP/alias negated ( ! ) to the source.

Can you please check the two attachments (NAT before, NAT2 after)? After that change, the port forward will work for all the IPs but 192.168.0.13 ?

Tia.

[tiermutter]

Yes, this should work and this IP can use those DNS specified in the clients setting or whatever any app wants to. Remember IPv6... If there is a redirect rule for v6, the client must be excluded here too. In this case it might be better to use MAC address instead of IPs.

[xkpx]

Simple and clean tutorial Thanks!

[cgi2099]

Thank you so much OP of this tutorial everything seems to be working

When configure that device with static ip and then add the dns you like in the " DNS servers" field. Have not tried that myself while I use adguard home for all devices / dns.

I also use Adguard Home but want to exclude a VLAN from this to be redirected to the DNS I have setup in the DHCP for the VLAN interface, is this possible? I haven't been able to figure out a way to exclude my VLAN for Adguard.

Josh

[cgi2099]

After hours of testing this, I can get my Chromecast to have the correct DNS and all of that, I can fool the Chromecast with the direction above or at least I think I am. But certain apps like Disney, HBO Max and Hulu just won't work on the Chromecast. On my phone and computer it is no problem.
I believe there is something going on with the apps themselves or I am not doing something right. I even went as far as changing my DNS in AdGuard home to my VPNs and it does work but all these apps are still detecting a VPN.

Hopefully I am doing something wrong here?