HOWTO - Redirect all DNS Requests to Opnsense

Started by Cypher100, July 26, 2018, 03:16:37 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 7 8 9
User actions
January 01, 2026, 02:33:20 AM #120
I don't have a "Default allow LAN to any rule". do I need it? If so, where can I find instructions? TIA
January 02, 2026, 07:53:13 PM #121 Last Edit: January 07, 2026, 10:47:43 PM by yourfriendarmando
Also, in case it hasn't been reiterated, you might want to additionally prevent devices like Android and iOS from escaping your DNS and attempting DNS over HTTP.

I recommend using a Floating rule, connected to a URL alias to v4/v6 lists, to keep those devices in check:

https://github.com/crypt0rr/public-doh-servers
https://github.com/oneoffdallas/dohservers/tree/master
https://github.com/dibdot/DoH-IP-blocklists/tree/master

Use a Firewall group to restrict your NAT and the rule above to local Interfaces and not interfere with the Firewall's ability to access DNS resources.

Here is also an older post on the matter:
https://forum.opnsense.org/index.php?topic=33931.0

Watch your Apple users start to hate you haha.
January 26, 2026, 09:36:20 PM #122
Hi, the best option for redirecting DNS is to use rdr on the same interface.

rdr pass in quick on $if_lan proto { udp tcp } from any to any port domain -> lo0 port domain

I use it on OpenBSD

pass in quick on $if_lan proto { udp tcp } from any to any port domain rdr-to lo0 port domain
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
Print
Go Up Pages 1 ... 7 8 9
User actions