HOWTO - Redirect all DNS Requests to Opnsense

Started by Cypher100, July 26, 2018, 03:16:37 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3 ... 8
User actions
July 26, 2018, 03:16:37 AM
This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Go to Services -> Unbound DNS -> General


Verify that ether ALL is selected or localhost with your LAN is selected.

or


Go to Firewall -> NAT -> Port Forward


Click the add new rule button


Set the following settings below.

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: LAN address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable

Note: If you have multiple networks, you would have to make a rule for each network. Make sure unbound is listening on the other network interfaces too.

Example for Wireless network:
Interface: Wireless
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: Wireless address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable



Here is my setup as a example after adding all the rules.


Now that the port forward rules have been created. We now have to adjust the rules under the firewall to make sure the DNS redirect is hit first.

Go to Firewall -> Rules -> LAN


Move the DNS redirect rule above "Default allow LAN to any rule" rule


Then apply changes, and the final result should look like this.


Notes: If you have multiple interfaces, you would have to move the rule for each interface.
July 27, 2018, 12:28:54 PM #1
Hello cypher100,

Thank you very much, exactly what I was looking for!  8)

Just one question, how can I see that it is working correctly?
Because when I use 8.8.8.8 as manual DNS server everything works (as expected) but I want to see that it is really working in the Logs or somewhere else.

Thank you! :)

July 27, 2018, 08:11:04 PM #2
Quote from: Raccoon on July 27, 2018, 12:28:54 PM
Hello cypher100,

Thank you very much, exactly what I was looking for!  8)

Just one question, how can I see that it is working correctly?
Because when I use 8.8.8.8 as manual DNS server everything works (as expected) but I want to see that it is really working in the Logs or somewhere else.

Thank you! :)

I added yahoo.com pointing to 127.0.0.1 as a host override. Then on my windows computer I use the command "nslookup yahoo.com 8.8.8.8" to see if it resolves to 127.0.0.1. Using nslookup should bypass any DNS cache on your local computer, but if it doesn't I ran ipconfig /flushdns before running the nslookup command.
August 14, 2018, 07:05:03 PM #3
Thank you, this process worked well for me. I guess advanced options had a lot to do with it and no other posted mentioned such important part of the setup : /
Best!!
August 26, 2018, 12:10:27 AM #4
How would this work on ipv6? I tried to mimic the NAT rules for ipv6, however then the DNS queries fail completely
October 05, 2018, 11:13:13 PM #5 Last Edit: October 05, 2018, 11:53:47 PM by Wired Life
I try to redirect to a dns server inside the lan with this rule

But it doesnt work :(
please help
October 10, 2018, 10:00:44 PM #6
Thank you, tested whit nslookup and works great.
November 26, 2018, 05:20:07 AM #7 Last Edit: November 26, 2018, 05:41:51 AM by GDixon
  from chris42
QuoteHow would this work on ipv6? I tried to mimic the NAT rules for ipv6, however then the DNS queries fail completely

Excellent question what would be the destination for IPv6 or what is the equivalent to 127.0.0.1 for IPv6?

would it be ::1 for the loopback like 127.0.0.1 is for IPv4 loopback?
November 27, 2018, 02:41:15 PM #8
Also, pay attention to non-standard DNS ports used by public DNS servers, ports like 5353, 9953 and alike... And for DNS-over-TLS the standard port is 853.

A really tech savvy user will bypass your forced DNS redirection anyway!
November 28, 2018, 06:15:14 AM #9 Last Edit: December 02, 2018, 09:18:44 PM by p1n0ck10
Quote from: GDixon on November 26, 2018, 05:20:07 AM
  from chris42
QuoteHow would this work on ipv6? I tried to mimic the NAT rules for ipv6, however then the DNS queries fail completely

Excellent question what would be the destination for IPv6 or what is the equivalent to 127.0.0.1 for IPv6?

would it be ::1 for the loopback like 127.0.0.1 is for IPv4 loopback?


Normally ::1 is the IPv6-localhost-Address. I must configure the IPv6-Address of the Interface (created an Alias) instead of ::1 in the NAT Rule and then it works. The clients resolves DNS-Records even if using his own IPv6-DNS-Servers.

I tested this with my Android Phone. This has the App DNSChanger installed
https://play.google.com/store/apps/details?id=com.frostnerd.dnschanger
with this App you can use other DNS-Server. With the IPv6 DNS NAT Rule you can farther resolve your own DNS-Records in the Override Tab from Unbound DNS. Normally when using a external DNS-Server you can't resolve internal DNS-Records.


June 25, 2020, 06:11:53 PM #10 Last Edit: June 25, 2020, 06:15:29 PM by dave
QuoteNormally ::1 is the IPv6-localhost-Address. I must configure the IPv6-Address of the Interface (created an Alias) instead of ::1 in the NAT Rule and then it works. The clients resolves DNS-Records even if using his own IPv6-DNS-Servers.

Hey p1n0ck10, could you go in to a little more detail regarding this?

NAT redirects now use floating rules when the rule's running across multiply interfaces.

You saying I'm going to have to create individual rules & aliases for each interfaces ipv6 address?

Currently I've got a floating ipv6 NAT rule redirecting to ::1, and it's clearly not working.
December 28, 2020, 09:23:27 AM #11
Quote from: Cypher100 on July 26, 2018, 03:16:37 AM
This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Hi Cypher,
will this procedure also work for an DNS-Server, e.g. Pi-Hole, within my environment when I fill in the IP of Pi-Hole instead of 127.0.0.1 to the NAT rules?

Regards Chris
XSK NUC Intel Celeron J3160 aka Protectli FW4B, 8GB RAM
OPNsense 22.1
December 29, 2020, 08:28:46 AM #12
Quote from: ChrisChros on December 28, 2020, 09:23:27 AM
Quote from: Cypher100 on July 26, 2018, 03:16:37 AM
This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Hi Cypher,
will this procedure also work for an DNS-Server, e.g. Pi-Hole, within my environment when I fill in the IP of Pi-Hole instead of 127.0.0.1 to the NAT rules?

Regards Chris

Have the same question.
December 31, 2020, 11:02:55 PM #13 Last Edit: December 31, 2020, 11:05:12 PM by vpn
Hi, so not sure I am doing this right but trying to re-direct all DNS queries to OPNsense as even thought I have my SmartTV set to this (GW of .1), it still ends up going to google (8.8.8.8). All other devices on the network are fine and use their default GW for DNS.

Here is how I have the NAT port forwarding setup.

January 07, 2021, 02:58:31 PM #14
Quote from: mayo on December 29, 2020, 08:28:46 AM
Quote from: ChrisChros on December 28, 2020, 09:23:27 AM
Quote from: Cypher100 on July 26, 2018, 03:16:37 AM
This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Hi Cypher,
will this procedure also work for an DNS-Server, e.g. Pi-Hole, within my environment when I fill in the IP of Pi-Hole instead of 127.0.0.1 to the NAT rules?

Regards Chris

Have the same question.

I have now set my Pi-Hole IP instead of 127.0.0.1 to the NAT rules and it looks like its working
XSK NUC Intel Celeron J3160 aka Protectli FW4B, 8GB RAM
OPNsense 22.1
Print
Go Up Pages1 2 3 ... 8
User actions