HOWTO - Redirect all DNS Requests to Opnsense

Started by Cypher100, July 26, 2018, 03:16:37 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 6 7 8
User actions
July 29, 2024, 01:21:50 PM #105
Can someone please clarify if the 'source port range' must be set on DNS or any and why?

Tia.
July 29, 2024, 01:29:29 PM #106
Source port range for DNS lookups is "any". A client may pick any random port, usually one >= 1024.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2024, 07:47:23 AM #107
Would it also be advised to create a blockrule for port 53 dns when using dot or is enabling the redirect rule enough?
November 02, 2024, 07:51:08 AM #108
I did a redirect, just in case there's some badly configured device on the network with static DNS server IP.
November 02, 2024, 12:45:31 PM #109 Last Edit: November 02, 2024, 01:17:10 PM by Lakkiada
The source port is randomly selected by the client, leave as any. Theoretically, the redirect rule "should" catch everything. I, however, also have block rules for port 53, 853, 5353 and 9953 - just in case - Zero Trust. Do be sure the redirect rule is above the block rules.

I also block DNS on the WAN if source is !WAN address on port 853 (also block all other 53,853,5353,9953). This effectively limits all DNS to my selected DNS over TLS servers.
November 03, 2024, 07:37:13 PM #110
How do I redirect ipv6 dns queries? Redirecting it to ::1?
November 03, 2024, 08:30:14 PM #111
That's what I'm doing, yes.
November 05, 2024, 10:33:07 AM #112
Quote from: sanji on January 11, 2021, 10:05:42 PM
I tried the different methods from this thread to redirect everything to my pihole with cloudflare upstream dns.

When I change the DNS server of my computer to 8.8.8.8 and go to https://www.dnsleaktest.com/ and start a test, it then shows a bunch of google servers, so it doesn't seem to work. Or is my understanding wrong?

In another thread (https://forum.opnsense.org/index.php?topic=15472.0) it is mentioned to create an outbound NAT translation. I haven't read that anywhere else. So is this needed?

Wondering this same question. Followed the guide but when I change my DNS server on my Iphone to 8.8.8.8 and run a dnsleaktest I can see the Google servers where I had expected my local unbound service?
November 05, 2024, 11:01:31 AM #113
What does your server use in terms of DNS protocol? HTTPS, QUIC, TLS...?

If it's using DNS over HTTPs for example, you're going to have to block 8.8.8.8:443 (both UDP and TCP).

If you want to go down that route, there are lists of public DNS over HTTPS/TLS providers, such as https://public-dns.info/nameservers.txt, which you then need to configure as FW aliases.

For DNS over TLS or QUIC it's simpler, you simply block anything to port 853 or 8853 (no point in redirecting, the certificate would not match).
November 05, 2024, 02:47:58 PM #114
Quote from: vicking on November 05, 2024, 10:33:07 AM
Quote from: sanji on January 11, 2021, 10:05:42 PM
I tried the different methods from this thread to redirect everything to my pihole with cloudflare upstream dns.

When I change the DNS server of my computer to 8.8.8.8 and go to https://www.dnsleaktest.com/ and start a test, it then shows a bunch of google servers, so it doesn't seem to work. Or is my understanding wrong?

In another thread (https://forum.opnsense.org/index.php?topic=15472.0) it is mentioned to create an outbound NAT translation. I haven't read that anywhere else. So is this needed?

Wondering this same question. Followed the guide but when I change my DNS server on my Iphone to 8.8.8.8 and run a dnsleaktest I can see the Google servers where I had expected my local unbound service?

All working now.. after setting it up again! Even when using 8.8.8.8 I can see the dns used is my local DNS service! :)
August 31, 2025, 11:23:09 PM #115
From the firewall perspective, 127.0.0.1 is a valid address, but it seems that pf doesn't translate traffic from an interface address to 127.0.0.1, at least in the OPNSense implementation.

Solution:

1. Create an alias containing the internal IP addresses of the firewall:

   Enabled: checked.
   Name: Internal_IP_Addresses
   Type: Hosts
   Content: 192.168.1.1
            192.168.10.1
            etc.

2. Use the alias in the NAT > Port Forward rule:

   Interface: Check the internal interfaces you want to apply the rule to.
   TCP/IP Version: IPv4
   Protocol: TCP/UDP
   Destination /Invert: checked
   Destination: This Firewall
   Destination port range: DNS (53)
   Redirect target IP: Internal_IP_Addresses (as an Alias)
   Redirect target port: DNS (53)


I don't know if this is by design, comes from pf, or OPNSense feature or issue. If someone could clarify this point, it would be great to know.

Regards.
Print
Go Up Pages 1 ... 6 7 8
User actions