HOWTO - Redirect all DNS Requests to Opnsense

[hushcoden]

Can someone please clarify if the 'source port range' must be set on DNS or any and why?

Tia.

[Patrick M. Hausen]

Source port range for DNS lookups is "any". A client may pick any random port, usually one >= 1024.

[August8828]

Would it also be advised to create a blockrule for port 53 dns when using dot or is enabling the redirect rule enough?

[9axqe]

I did a redirect, just in case there's some badly configured device on the network with static DNS server IP.

[Lakkiada]

The source port is randomly selected by the client, leave as any. Theoretically, the redirect rule "should" catch everything. I, however, also have block rules for port 53, 853, 5353 and 9953 - just in case - Zero Trust. Do be sure the redirect rule is above the block rules.

I also block DNS on the WAN if source is !WAN address on port 853 (also block all other 53,853,5353,9953). This effectively limits all DNS to my selected DNS over TLS servers.

[August8828]

How do I redirect ipv6 dns queries? Redirecting it to ::1?

[9axqe]

That's what I'm doing, yes.

[vicking]

I tried the different methods from this thread to redirect everything to my pihole with cloudflare upstream dns.

When I change the DNS server of my computer to 8.8.8.8 and go to https://www.dnsleaktest.com/ and start a test, it then shows a bunch of google servers, so it doesn't seem to work. Or is my understanding wrong?

In another thread (https://forum.opnsense.org/index.php?topic=15472.0) it is mentioned to create an outbound NAT translation. I haven't read that anywhere else. So is this needed?

Wondering this same question. Followed the guide but when I change my DNS server on my Iphone to 8.8.8.8 and run a dnsleaktest I can see the Google servers where I had expected my local unbound service?

[9axqe]

What does your server use in terms of DNS protocol? HTTPS, QUIC, TLS...?

If it's using DNS over HTTPs for example, you're going to have to block 8.8.8.8:443 (both UDP and TCP).

If you want to go down that route, there are lists of public DNS over HTTPS/TLS providers, such as https://public-dns.info/nameservers.txt, which you then need to configure as FW aliases.

For DNS over TLS or QUIC it's simpler, you simply block anything to port 853 or 8853 (no point in redirecting, the certificate would not match).

[vicking]

I tried the different methods from this thread to redirect everything to my pihole with cloudflare upstream dns.

When I change the DNS server of my computer to 8.8.8.8 and go to https://www.dnsleaktest.com/ and start a test, it then shows a bunch of google servers, so it doesn't seem to work. Or is my understanding wrong?

In another thread (https://forum.opnsense.org/index.php?topic=15472.0) it is mentioned to create an outbound NAT translation. I haven't read that anywhere else. So is this needed?

Wondering this same question. Followed the guide but when I change my DNS server on my Iphone to 8.8.8.8 and run a dnsleaktest I can see the Google servers where I had expected my local unbound service?

All working now.. after setting it up again! Even when using 8.8.8.8 I can see the dns used is my local DNS service! :)

[Netlearn]

From the firewall perspective, 127.0.0.1 is a valid address, but it seems that pf doesn't translate traffic from an interface address to 127.0.0.1, at least in the OPNSense implementation.

Solution:

1. Create an alias containing the internal IP addresses of the firewall:

   Enabled: checked.
   Name: Internal_IP_Addresses
   Type: Hosts
   Content: 192.168.1.1
            192.168.10.1
            etc.

2. Use the alias in the NAT > Port Forward rule:

   Interface: Check the internal interfaces you want to apply the rule to.
   TCP/IP Version: IPv4
   Protocol: TCP/UDP
   Destination /Invert: checked
   Destination: This Firewall
   Destination port range: DNS (53)
   Redirect target IP: Internal_IP_Addresses (as an Alias)
   Redirect target port: DNS (53)


I don't know if this is by design, comes from pf, or OPNSense feature or issue. If someone could clarify this point, it would be great to know.

Regards.

[meyergru]

I just tried to do this on my own OpnSense, however, I noticed two problems:

1. I use an nmap scan like:

Code Select Expand

nmap -sn -n --reason -PE -PS135,445,3389,22,80,443,8888 -PU53 --min-parallelism 100 --max-rtt-timeout 100ms --host-timeout 5s -T4 -oX - $network

to detect live systems on my own VLANs and on some site-2-site networks connected over VPN.

Because of nmap checking if the UDP port 53 is open on the targets, it will issue DNS requests that are not targeted to the LAN address of OpnSense. Since those will then be redirected to OpnSense by the given NAT port forwarding rule:

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: LAN address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable

This will result in a positive answer - essentially, all hosts will be flagged as being "up".

I order to fix this, one should probably use an RFC1918 alias and use !RFC1918 for the destination. In my case, I grouped all the local VLANs together, so the NAT rule becomes:

Interface: LOCAL_VLANS (alias containing all local VLANs)
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: RFC1918 (alias containing all RFC1918 networks)
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable

You could get away by using !"LOCAL_VLANs net" as destination, but this will exclude the site-2-site subnets, so !RFC1918 is safer.


2. I wanted the same functionality for IPv6 (this was once discussed without a solution here), for which you have to create a second NAT rule that looks like this:

Interface: LOCAL_VLANS (alias containing all local VLANs)
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: This Firewall
Destination Port: DNS
Redirect target IP: LAN_IPv6 (alias containing a dynamic IPv6 host with the EUI-64 of any VLAN interface that listens to DNS)
Redirect target port: DNS
NAT reflection: Disable

Note that the LAN_IPv6 alias must contain a routeable IPv6 for this to work, so ::1 or fe80::xxxx are out of the question.

[Netlearn]

TL;DR

Traffic to 127.0.0.1 can be redirected.
Redirect (DNS/NTP/...) to 127.0.0.1 as usual.
Do not forget to put "PASS" rules for the services you want to access (DNS, NTP...)


Explained and solved:

I already have an alias for RFC1918 (plus some other reserved networks, like 224. 240, etc). I use it for egress traffic from internal networks to internet (one rule per interface).

Trying different approaches to this question, I put your configuration in a NAT rule and it didn't work. Then, I changed the DNS server in a client, pointing to a public external DNS. Then, the rule is catching the queries and redirecting to Unbound (!). So yes, 127.0.0.1 can receive redirected traffic.

Then, I created a floating rule to allow DNS to "This firewall" and now, everything works as intended.

The wrong point was that, in the process of re-writing some rules, I changed the default "allow any" rule for outbound traffic to the more restrictive "!RFC1918", but I forgot to create rules for the services requiring them. Redirecting to the "Internal_IP_Addresses" alias creates an associated fw rule that permits DNS to those addresses, so the clients with the fw as DNS servers were allowed by that rule.

It was a(nother) Layer-8 problem, after all.