HOWTO - Redirect all DNS Requests to Opnsense

Started by Cypher100, July 26, 2018, 03:16:37 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 ... 8
User actions
January 11, 2021, 10:05:42 PM #15 Last Edit: January 12, 2021, 02:15:55 PM by sanji
I tried the different methods from this thread to redirect everything to my pihole with cloudflare upstream dns.

When I change the DNS server of my computer to 8.8.8.8 and go to https://www.dnsleaktest.com/ and start a test, it then shows a bunch of google servers, so it doesn't seem to work. Or is my understanding wrong?

In another thread (https://forum.opnsense.org/index.php?topic=15472.0) it is mentioned to create an outbound NAT translation. I haven't read that anywhere else. So is this needed?

September 11, 2021, 09:45:23 PM #16
Redirecting DNS to 127.0.0.1 seem to fail for me:

Whereas a redirect to the relevant LAN/VLAN's gateway (e.g. 192.168.1.1:53) works, a redirect to 127.0.0.1:53 does not:
Quote
nslookup www.ft.com ns2.google.com.
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  216.239.34.10

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.

The DNS request shows up in my (adguard home) logs, but apparently the response to my client is faulty.

If redirecting to 192.168.1.1, the redirect works and the client "does not notice":
Quotenslookup www.ft.com ns2.google.com.
Server:  ns2.google.com
Address:  216.239.34.10

Nicht autorisierende Antwort:
Name:    ft2.map.fastly.net
Addresses:  151.101.2.209
          151.101.66.209
          151.101.130.209
          151.101.194.209
Aliases:  www.ft.com

What could be the reason?

Redirecting to 127.0.0.1 would be favourable as I could apply it globally to all local LAN/VLAN/VPN interfaces, whereas redirecting to a gateway address would require individual rules for each interface (bleh!).
September 15, 2021, 03:42:55 PM #17
that would be the case if you have disabled it on Systems > Settings > General > "Do not use the local DNS service as a nameserver for this system"
One quick way to check is to see the contents of your /etc/resolv.conf file. I suspect it doens't have 127.0.0.1
Whether that is what you want or not is another matter.
September 16, 2021, 06:42:14 PM #18
Thanks but that's not it - the option is unchecked..

Probably more of a firewall issue I guess?
November 20, 2021, 03:32:33 AM #19
Quote from: abulafia on September 16, 2021, 06:42:14 PM
Thanks but that's not it - the option is unchecked..

Probably more of a firewall issue I guess?

Did you ever solve this issue?
November 21, 2021, 09:35:15 PM #20
its still a nightmare fror the DOT. canot seems to get it working neither.
followed every tutorial i could find but nothing really worked.
DEC4240 – OPNsense Owner
November 25, 2021, 09:01:51 AM #21
same issue for me as well...
Cheers,
Crissi
November 25, 2021, 09:13:23 AM #22
For DoT it wont work because the client will not accept answers from your own resolver. Im just blocking DoT requests by FW rule, most clients will fallback to normal DNS, bad luck for those which doesnt...
For DoH Im doing similar, blocking 443 for source= Alias "DNS Servers" with some DNS Server lists I found on github. This will not cover every existing DNS Server, but is the best way I found.
i am not an expert... just trying to help...
November 25, 2021, 12:01:08 PM #23
QuoteFor DoH Im doing similar, blocking 443 for source= Alias "DNS Servers" with some DNS Server lists I found on github.
Could you please share the link for this github list?
January 02, 2022, 01:47:47 AM #24
UnboundDNS > General > Network Interfaces: 
I'm running 21.7.6 so I guess that's why don't see the option for "all" or "Localhost".  I do see my 3 interfaces and the WAN interface.  Along with my 3 interfaces, should I select WAN here as well?

There's no mention in this tutorial for the setting "Outgoing Network Interfaces".   It says by default all interfaces are used.  Should I leave it using all interfaces or should I only select WAN?


Thanks
January 02, 2022, 09:50:00 AM #25
i am not an expert... just trying to help...
January 15, 2022, 09:32:48 PM #26
Hello,

I just wanted to say that this HOWTO saved me a ton of trouble I had with my Android mobiles, that were not seeing local hosts even though they are added in the default DNS (which is piHole).

Apparently, my mobiles were still looking for them outside and so it failed.
Once I redirected all external DNS queries to my piHole - everything works great !

Thanks for this !
January 17, 2022, 09:28:53 PM #27
I have this working also. But what I do not understand or know how to do this in the FW rules, is what zenarmor/sensei does. It looks like it goes one step further.

With the settings in this forum thread and when I do nslookup google.com 1.1.1.1
Server:      1.1.1.1
Address:   1.1.1.1#53

Non-authoritative answer:
Name:   google.com
Address: 142.251.39.110

------------
But with zenarmor app control - blocking - "network management" I get:
nslookup google.com 1.1.1.1
;; connection timed out; no servers could be reached

and nslookup google.com 192.168.1.1 (opnsense ip)
Server:      192.168.1.1
Address:   192.168.1.1#53

Non-authoritative answer:
Name:   google.com
Address: 142.251.39.110

So how to create this effect in the firewall of opnsense without sensei/zenarmor? looks even more secure. Allowing opnsense dns but no other
January 17, 2022, 10:56:36 PM #28
If DNS forwarding is set up correctly then the outcome is achieved and you don't need additional rules. A host may think it is using other DNS servers but it is actually not. That's a more sophisticated outcome than just blocking the other DNS servers entirely.
January 18, 2022, 08:03:02 AM #29
yes ok. I did a rewrite check on yahoo.com to 127.0.0.1 and that worked:
nslookup yahoo.com 9.9.9.9
Server:      9.9.9.9
Address:   9.9.9.9#53

Non-authoritative answer:
Name:   yahoo.com
Address: 127.0.0.1

But why I asked it that I have some bird box cams on the network that are blocked from internet access.
I noticed with the sensei/zenarmor blocked network management that it was blocking port 53 queries from those bird boxes. That made me think what to do, block port 53 access for those cam's or just keep current redirect all DNS as sufficient ?
Print
Go Up Pages 1 2 3 4 ... 8
User actions