HOWTO - Redirect all DNS Requests to Opnsense

Started by Cypher100, July 26, 2018, 03:16:37 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 7 8 9
User actions
January 01, 2026, 02:33:20 AM #120
I don't have a "Default allow LAN to any rule". do I need it? If so, where can I find instructions? TIA
January 02, 2026, 07:53:13 PM #121 Last Edit: January 07, 2026, 10:47:43 PM by yourfriendarmando
Also, in case it hasn't been reiterated, you might want to additionally prevent devices like Android and iOS from escaping your DNS and attempting DNS over HTTP.

I recommend using a Floating rule, connected to a URL alias to v4/v6 lists, to keep those devices in check:

https://github.com/crypt0rr/public-doh-servers
https://github.com/oneoffdallas/dohservers/tree/master
https://github.com/dibdot/DoH-IP-blocklists/tree/master

Use a Firewall group to restrict your NAT and the rule above to local Interfaces and not interfere with the Firewall's ability to access DNS resources.

Here is also an older post on the matter:
https://forum.opnsense.org/index.php?topic=33931.0

Watch your Apple users start to hate you haha.
January 26, 2026, 09:36:20 PM #122
Hi, the best option for redirecting DNS is to use rdr on the same interface.

rdr pass in quick on $if_lan proto { udp tcp } from any to any port domain -> lo0 port domain

I use it on OpenBSD

pass in quick on $if_lan proto { udp tcp } from any to any port domain rdr-to lo0 port domain
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
February 08, 2026, 12:18:39 AM #123 Last Edit: February 08, 2026, 12:20:51 AM by nero355
Because some of us don't use OPNsense for DNS at all and have a seperate Raspberry Pi or Intel Atom NUC running Pi-Hole I thought it might be useful to have the right settings available in this topic :

- 10.0.0.0/24 subnet
- OPNsense Interface for it is called ThuisLAN
- It's Gateway IP Address is 10.0.0.138
- Pi-Hole DNS IP Address is 10.0.0.139

Please note the following :
My Pi-Hole uses a Management VLAN for it's Internet connectivity so any rules related to that are not shown here because they are simply not needed !!

NAT Outbound Rule Settings :


NAT Outbound Rules Overview :


NAT Port Forward Overview :


NAT Port Forward Settings :


Firewall Rules Overview :


The only thing I don't like but kind of also do like :

With this setup all the Redirected DNS Queries are shown in the Pi-Hole Query Log as done by the OPNsense Gateway Interface (10.0.0.138) instead of the device being naughty, but fixing that would require setting up a DMZ for example (or any kind of dedicated let's say "Servers VLAN") so ALL the traffic passes OPNsense instead of being partially local and party from OPNsense like it is now.

On the other hand you can filter "Bad Traffic" from "Naughty clients" very easily by looking for the Gateway IP Address of your VLAN in the Pi-Hole Query Log :P

Most important thing is that IT WORKS! ^_^
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages 1 ... 7 8 9
User actions