HOWTO - Redirect all DNS Requests to Opnsense

[Stubby]

I don't have a "Default allow LAN to any rule". do I need it? If so, where can I find instructions? TIA

[yourfriendarmando]

Also, in case it hasn't been reiterated, you might want to additionally prevent devices like Android and iOS from escaping your DNS and attempting DNS over HTTP.

I recommend using a Floating rule, connected to a URL alias to v4/v6 lists, to keep those devices in check:

https://github.com/crypt0rr/public-doh-servers
https://github.com/oneoffdallas/dohservers/tree/master
https://github.com/dibdot/DoH-IP-blocklists/tree/master

Use a Firewall group to restrict your NAT and the rule above to local Interfaces and not interfere with the Firewall's ability to access DNS resources.

Here is also an older post on the matter:
https://forum.opnsense.org/index.php?topic=33931.0

Watch your Apple users start to hate you haha.

[Javier®]

Hi, the best option for redirecting DNS is to use rdr on the same interface.

rdr pass in quick on $if_lan proto { udp tcp } from any to any port domain -> lo0 port domain

I use it on OpenBSD

pass in quick on $if_lan proto { udp tcp } from any to any port domain rdr-to lo0 port domain

[nero355]

Because some of us don't use OPNsense for DNS at all and have a seperate Raspberry Pi or Intel Atom NUC running Pi-Hole I thought it might be useful to have the right settings available in this topic :

- 10.0.0.0/24 subnet
- OPNsense Interface for it is called ThuisLAN
- It's Gateway IP Address is 10.0.0.138
- Pi-Hole DNS IP Address is 10.0.0.139

Please note the following :
My Pi-Hole uses a Management VLAN for it's Internet connectivity so any rules related to that are not shown here because they are simply not needed !!

NAT Outbound Rule Settings :


NAT Outbound Rules Overview :


NAT Port Forward Overview :


NAT Port Forward Settings :


Firewall Rules Overview :


The only thing I don't like but kind of also do like :

With this setup all the Redirected DNS Queries are shown in the Pi-Hole Query Log as done by the OPNsense Gateway Interface (10.0.0.138) instead of the device being naughty, but fixing that would require setting up a DMZ for example (or any kind of dedicated let's say "Servers VLAN") so ALL the traffic passes OPNsense instead of being partially local and party from OPNsense like it is now.

On the other hand you can filter "Bad Traffic" from "Naughty clients" very easily by looking for the Gateway IP Address of your VLAN in the Pi-Hole Query Log :P

Most important thing is that IT WORKS! ^_^

[rainydaynetwork]

With the rules GUI change in 26.1.1 - Can anyone provide an update to this guide?  There is no redirect options, DNS option in port, or NAT reflection options on the create rule page.  The migration tool did not convert the rules properly for me, they break all functionality and I had to reset them.

[Tismofied]

Because some of us don't use OPNsense for DNS at all and have a seperate Raspberry Pi or Intel Atom NUC running Pi-Hole I thought it might be useful to have the right settings available in this topic :

- 10.0.0.0/24 subnet
- OPNsense Interface for it is called ThuisLAN
- It's Gateway IP Address is 10.0.0.138
- Pi-Hole DNS IP Address is 10.0.0.139

Please note the following :
My Pi-Hole uses a Management VLAN for it's Internet connectivity so any rules related to that are not shown here because they are simply not needed !!

NAT Outbound Rule Settings :


NAT Outbound Rules Overview :


NAT Port Forward Overview :


NAT Port Forward Settings :


Firewall Rules Overview :


The only thing I don't like but kind of also do like :

With this setup all the Redirected DNS Queries are shown in the Pi-Hole Query Log as done by the OPNsense Gateway Interface (10.0.0.138) instead of the device being naughty, but fixing that would require setting up a DMZ for example (or any kind of dedicated let's say "Servers VLAN") so ALL the traffic passes OPNsense instead of being partially local and party from OPNsense like it is now.

On the other hand you can filter "Bad Traffic" from "Naughty clients" very easily by looking for the Gateway IP Address of your VLAN in the Pi-Hole Query Log :P

Most important thing is that IT WORKS! ^_^

how would unbound on OPNsense fit in this scenario if one were to use it as upstream server?

[nero355]

how would unbound on OPNsense fit in this scenario if one were to use it as upstream server?

The same as it does now for me but you enter the IP Address of OPNsense on the Default LAN network instead of 127.0.0.1:5335 in the Pi-Hole webGUI :)

[Gilgamesh]

With the rules GUI change in 26.1.1 - Can anyone provide an update to this guide?  There is no redirect options, DNS option in port, or NAT reflection options on the create rule page.  The migration tool did not convert the rules properly for me, they break all functionality and I had to reset them.

An updated guide will definitely help to new users like me. ;-)

Also, I have some questions (I'm on OPNsense ver.26.1.2):

1. What is the reason to use the Invert condition in the suggested rule:

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: LAN address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable

As I can accomplish the same by capturing DNS requests (port 53) to any destination, not only different from LAN_Address:

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Unchecked
Destination: Any
Destination Port: 53
Redirect target IP: 127.0.0.1
Redirect target port: 53
NAT reflection: [no such option, not used]

2. About the "Note: If you have multiple networks, you would have to make a rule for each network. Make sure unbound is listening on the other network interfaces too".

Maybe specific to ver. 26.x.x but in Firewall > NAT > Destination NAT now I can pick more than one interface to the NAT rule.
So, can I do that or need such rules to every Interface/VLAN I intend to set a DNS redirection?

Thank you.

[nero355]

1. What is the reason to use the Invert condition in the suggested rule:

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: LAN address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable

As I can accomplish the same by capturing DNS requests (port 53) to any destination, not only different from LAN_Address:

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Unchecked
Destination: Any
Destination Port: 53
Redirect target IP: 127.0.0.1
Redirect target port: 53
NAT reflection: [no such option, not used]

You only need to catch DNS traffic NOT going to your DNS Server IP (in this case OPNsense) and not ALL DNS traffic ;)

! or != is often used to say ISN'T in various programming/scripting languages.

2. About the "Note: If you have multiple networks, you would have to make a rule for each network. Make sure unbound is listening on the other network interfaces too".

Maybe specific to ver. 26.x.x but in Firewall > NAT > Destination NAT now I can pick more than one interface to the NAT rule.
So, can I do that or need such rules to every Interface/VLAN I intend to set a DNS redirection?

You could create an Alias or maybe there is one already ?