HOWTO - Redirect all DNS Requests to Opnsense

Started by Cypher100, July 26, 2018, 03:16:37 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 8 9 10
User actions
March 07, 2026, 02:32:22 PM #135
@meyergru

Yes, with the rules I've been using it seems to work well. I also have a few additional DNS rules in place to tighten things up a bit.

I also redirect DoT traffic on port 853, which helps prevent devices from bypassing the local resolver using encrypted DNS directly to external providers.

Additionally, I've been experimenting with blocking DoH endpoints, starting with things like Google DNS, to stop clients from using DNS-over-HTTPS to bypass local policies. So far this setup seems to be working well in my tests.
March 16, 2026, 09:29:11 PM #136
Quote from: SenseX on March 07, 2026, 02:32:22 PMI also redirect DoT traffic on port 853

But what is the point to redirect (instead of block) if such queries will not be served due to certificate not matching.
March 30, 2026, 09:50:46 PM #137
I just block outgoing access to port 853. I have it in an alias full of ports clients have no business accessing.
The alias is used in a Floating rule to block local nets from accessing ports to !local nets
Today at 11:52:39 AM #138 Last Edit: Today at 12:28:17 PM by hushcoden
Sorry if it's a dumb question, but in the forward rule, --> destination, is it !LAN net or !LAN address ?

Could someone explain to me what the difference is?

Also, as for the source, why is it 'any' and not LAN net if I want to 'control' the clients on my LAN network?
Today at 03:12:16 PM #139
Quote from: hushcoden on Today at 11:52:39 AMSorry if it's a dumb question, but in the forward rule, --> destination, is it !LAN net or !LAN address ?

Could someone explain to me what the difference is?
LAN Net = Your network's subnet so let's say 192.168.1.0/24
LAN Address = The Gateway IP Address so let's say 192.168.1.1

QuoteAlso, as for the source, why is it 'any' and not LAN net if I want to 'control' the clients on my LAN network?
It doesn't really matter, but you could say 'Any' does in theory catch more since it's ANYTHING instead of something SPECIFIC :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 03:40:17 PM #140
Quote from: nero355 on Today at 03:12:16 PMLAN Net = Your network's subnet so let's say 192.168.1.0/24
LAN Address = The Gateway IP Address so let's say 192.168.1.1
Yes, but which one is more accurate (and if possible, also why)?
Today at 06:40:34 PM #141
Quote from: hushcoden on Today at 03:40:17 PM
Quote from: nero355 on Today at 03:12:16 PMLAN Net = Your network's subnet so let's say 192.168.1.0/24
LAN Address = The Gateway IP Address so let's say 192.168.1.1
Yes, but which one is more accurate (and if possible, also why)?
Between those two ?!

Well your Gateway does not create the traffic so you have to choose your Network Subnet anyway : 192.168.1.0/24


Simply think about how your traffic flows and what the rule does and you got your answer right there immediately! :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 06:56:07 PM #142 Last Edit: Today at 07:00:30 PM by hushcoden
On post #128, you stated "You only need to catch DNS traffic NOT going to your DNS Server IP (in this case OPNsense) and not ALL DNS traffic".

Now, in my case 192.168.0.1 is the LAN address of my OPNsense that is also the IP address of the DNS server --> I can either use !192.168.0.1 or !LAN address, is that right?

Let's say that "networking concepts go over my head faster than gigabit speeds" :-)
Today at 06:59:19 PM #143
Quote from: hushcoden on Today at 06:56:07 PMI can either use !192.168.0.1 or !LAN address, is that right?
Yes! :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages 1 ... 8 9 10
User actions