HOWTO - Redirect all DNS Requests to Opnsense

[Mks]

Hi, many thanks for this HowTo, works flawlessly for me.
Would it be possible to add a similar Redirect rule for NTP service port 123 so that Opnsense NTP server will only be used?

Yes, its basically the same.

br

[ChrisChros]

I use a Port Forward rule to forward all NTP traffic, which is not coming from the firewall, to my OPNsense.
The interface local_Networks is an alias for all my lan and vlan, so I need only one rule.

[hushcoden]

I found this article https://www.derekseaman.com/2021/04/how-to-redirect-hardcoded-dns-to-opnsense.html and it's slightly different as it also considers the source address, why is that and which solution is better?

Tia.

[hushcoden]

I'd really like to understand what the difference in using as source address 'any' vs !firewall_ip_address ?!?

Tia.

[tiermutter]

"!firewall_ip" as source takes care (or should to) that the firewall itself can use any DNS servers without being redirected to itself. I think this is superfluous as the rule is placed on LAN interface and the firewall itself will never hit the rule for outgoing DNS requests. However, without specifying the source everything works fine and the firewall itself is able to make necessary requests to DNS servers in WAN.

[hushcoden]

One more question: is it possible for just a device on the LAN being able to use custom DNS servers ?

Tia.

[RamSense]

When configure that device with static ip and then add the dns you like in the " DNS servers" field. Have not tried that myself while I use adguard home for all devices / dns.

[tiermutter]

A few months later.... :)

In the past I excluded my wifes smartphone (IP by alias) from being redirected because she didnt want to use (ad-)filtered DNS servers. Just edit the forward rule and add the IP/alias negated ( ! ) to the source.

[hushcoden]

In the past I excluded my wifes smartphone (IP by alias) from being redirected because she didnt want to use (ad-)filtered DNS servers. Just edit the forward rule and add the IP/alias negated ( ! ) to the source.

Can you please check the two attachments (NAT before, NAT2 after)? After that change, the port forward will work for all the IPs but 192.168.0.13 ?

Tia.

[tiermutter]

Yes, this should work and this IP can use those DNS specified in the clients setting or whatever any app wants to. Remember IPv6... If there is a redirect rule for v6, the client must be excluded here too. In this case it might be better to use MAC address instead of IPs.

[xkpx]

Simple and clean tutorial Thanks!

[cgi2099]

Thank you so much OP of this tutorial everything seems to be working :)

When configure that device with static ip and then add the dns you like in the " DNS servers" field. Have not tried that myself while I use adguard home for all devices / dns.

I also use Adguard Home but want to exclude a VLAN from this to be redirected to the DNS I have setup in the DHCP for the VLAN interface, is this possible? I haven't been able to figure out a way to exclude my VLAN for Adguard.

Josh

[cgi2099]

After hours of testing this, I can get my Chromecast to have the correct DNS and all of that, I can fool the Chromecast with the direction above or at least I think I am. But certain apps like Disney, HBO Max and Hulu just won't work on the Chromecast. On my phone and computer it is no problem.
I believe there is something going on with the apps themselves or I am not doing something right. I even went as far as changing my DNS in AdGuard home to my VPNs and it does work but all these apps are still detecting a VPN.

Hopefully I am doing something wrong here?

[gspannu]

Redirecting DNS to 127.0.0.1 seem to fail for me:

Whereas a redirect to the relevant LAN/VLAN's gateway (e.g. 192.168.1.1:53) works, a redirect to 127.0.0.1:53 does not:

nslookup www.ft.com ns2.google.com.
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  216.239.34.10

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.

The DNS request shows up in my (adguard home) logs, but apparently the response to my client is faulty.

If redirecting to 192.168.1.1, the redirect works and the client "does not notice":

nslookup www.ft.com ns2.google.com.
Server:  ns2.google.com
Address:  216.239.34.10

Nicht autorisierende Antwort:
Name:    ft2.map.fastly.net
Addresses:  151.101.2.209
          151.101.66.209
          151.101.130.209
          151.101.194.209
Aliases:  www.ft.com

What could be the reason?

Redirecting to 127.0.0.1 would be favourable as I could apply it globally to all local LAN/VLAN/VPN interfaces, whereas redirecting to a gateway address would require individual rules for each interface (bleh!).

Thanks but that's not it - the option is unchecked..

Probably more of a firewall issue I guess?

Did you ever solve this issue?

Figured out a way to solve this issue.
You can now safely use 127.0.0.1 in your NAT rule, instead of specifying the interface address (192.168.1.1 and other VLAN addresses).

The culprit here is AdGuardHome; as the 127.0.0.1 setting works fine when using Unbound instead of AGH.

Steps to FIX:
S1) Goto AdGuardHome webpage, navigate to 'Setup Guide' page
S2) Note down all the IP addresses (you can ignore the https, tls, quic addresses if any)

S3) Stop AdGuardHome service
S4) Edit the AdGuardHome.yaml file manually (make a backup !)
- file should be here... /usr/local/AdGuardHome/AdGuardHome.yaml
S5) Find the bind_hosts: line in the file
S6) Remove the 0.0.0.0 and replace with all the IP addresses you wish to listen
e.g.

Code Select Expand

bind_hosts:
- aaa.xxx.yyy.zzz
- 127.0.0.1
- ::1
- fe80::1%lo0
- 192.168.1.1
- 192.168.10.1
- 192.168.60.1
- 10.0.0.1

S7) Save the file
S8) Enable AdGuardHome service again.
S9) Goto AdGuardHome webpage, navigate to 'Setup Guide' page
S10) Compare these with Step2 - They should be the same as before...

All set...

You can now change your NAT rules to 127.0.0.1 instead of 192.168.1.1
:)

[gspannu]

Redirecting DNS to 127.0.0.1 seem to fail for me:

Whereas a redirect to the relevant LAN/VLAN's gateway (e.g. 192.168.1.1:53) works, a redirect to 127.0.0.1:53 does not:

nslookup www.ft.com ns2.google.com.
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  216.239.34.10

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.

The DNS request shows up in my (adguard home) logs, but apparently the response to my client is faulty.

If redirecting to 192.168.1.1, the redirect works and the client "does not notice":

nslookup www.ft.com ns2.google.com.
Server:  ns2.google.com
Address:  216.239.34.10

Nicht autorisierende Antwort:
Name:    ft2.map.fastly.net
Addresses:  151.101.2.209
          151.101.66.209
          151.101.130.209
          151.101.194.209
Aliases:  www.ft.com

What could be the reason?

Redirecting to 127.0.0.1 would be favourable as I could apply it globally to all local LAN/VLAN/VPN interfaces, whereas redirecting to a gateway address would require individual rules for each interface (bleh!).

Thanks but that's not it - the option is unchecked..

Probably more of a firewall issue I guess?

Did you ever solve this issue?

Figured out a way to solve this issue.
You can now safely use 127.0.0.1 in your NAT rule, instead of specifying the interface address (192.168.1.1 and other VLAN addresses).

The culprit here is AdGuardHome; as the 127.0.0.1 setting works fine when using Unbound instead of AGH.

Steps to FIX:
S1) Goto AdGuardHome webpage, navigate to 'Setup Guide' page
S2) Note down all the IP addresses (you can ignore the https, tls, quic addresses if any)

S3) Stop AdGuardHome service
S4) Edit the AdGuardHome.yaml file manually (make a backup !)
- file should be here... /usr/local/AdGuardHome/AdGuardHome.yaml
S5) Find the bind_hosts: line in the file
S6) Remove the 0.0.0.0 and replace with all the IP addresses you wish to listen
e.g.

Code Select Expand

bind_hosts:
- aaa.xxx.yyy.zzz
- 127.0.0.1
- ::1
- fe80::1%lo0
- 192.168.1.1
- 192.168.10.1
- 192.168.60.1
- 10.0.0.1

S7) Save the file
S8) Enable AdGuardHome service again.
S9) Goto AdGuardHome webpage, navigate to 'Setup Guide' page
S10) Compare these with Step2 - They should be the same as before...

All set...

You can now change your NAT rules to 127.0.0.1 instead of 192.168.1.1  :)