Redirect DNS
-
So just getting back to pfSense again after years and i need possible help with a NAT rule i create
Purpose: I have internal dns servers that i want all clients to use. I'm trying to prevent someone statically assigning an ip on their own connection to get around things. I could block it of course id prefer a redirect. So I created a NAT run on the LAN interface & i assume i would have to do the same thing on every internal interface (or maybe i'll just use an alias):
LAN
Opt1
Opt2
Opt.....So this is what the rule looks like:
Interface: LAN Address Family: IPV4 Source / Address or Alias / [x] invert match internal_dns_servers (alias for the internal dns servers) <--- will allow dns servers to get out though most should be DNS over HTTPS Source Port Range: Any to Any: Destination: WAN Address Destination Port Range: DNS Redirect Target IP: 192.168.1.2 (internal dns server) Redirect Target Port: DNSFirst i assume assigning the the internal interfaces is the right direction? DNS resolution does work when i do:
nslookup google.com 1.1.1.1
but i'm not sure they best way to validate that its in fact getting redirected to the internal dns server rather than making it out?thanks
-
@ncage one way to check that your redirect is working is direct your query to something you know isn't going to work, like 1.2.3.4 doesn't answer 1.2.3.4 if you direct your query there and you get an answer, then clearly your redirect worked ;)
-
@johnpoz wow that was quick reply thanks ....but isn't that what i'm doing when i do:
nslookup google.com 1.1.1.1 (cloudflare)?
and i'm not blocking i'm just redirecting so couldn't be either its getting redirecting transparently or my rule isn't working & its getting out? Not sure how i can tell whats happening? -
@johnpoz fyi now i know 100% sure it was not working before. I found others have wrote this rune apparently but made mine not work is the following
Destination: WAN AddressNot 100% sure but i changed it to
invert match internal_dns_servershow do i know it was working:
nslookup javaworld.com 1.1.1.1 ;; reply from unexpected source: 192.168.1.2#53, expected 1.1.1.1#53Not sure why there is even something directly from netgate:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlHopefully its just
nslookupthat has the issue & nothing else. -
@ncage my point - that is why ask something you know can't answer - 1.2.3.4 is not going to answer dns query, so if you get an answer then clearly you were redirected..
Another way is ask for something where your directing can't answer.. For example googdns isn't going to be able to resolve my nas.home.arpa name, but my local dns that I am redirecting too will.
So if I query 8.8.8.8 for nas.home.arpa and I get my answer - then clearly it was redirect.
Well that redirection error tells you you were redirection, its pointless because now your dns is not going to work.. I have gone over this countless times to be honest..
The redirection examples and docs clearly tell you to direct to the localhost 127.0.0.1 on pfsense - they do this for a reason. Because if you just redirect it something on the same network as the client many dns clients will complain like the error your seeing.
-
@johnpoz said in Redirect DNS:
@ncage my point - that is why ask something you know can't answer - 1.2.3.4 is not going to answer dns query, so if you get an answer then clearly you were redirected..
Another way is ask for something where your directing can't answer.. For example googdns isn't going to be able to resolve my nas.home.arpa name, but my local dns that I am redirecting too will.
So if I query 8.8.8.8 for nas.home.arpa and I get my answer - then clearly it was redirect.
Well that redirection error tells you you were redirection, its pointless because now your dns is not going to work.. I have gone over this countless times to be honest..
The redirection examples and docs clearly tell you to direct to the localhost 127.0.0.1 on pfsense - they do this for a reason. Because if you just redirect it something on the same network as the client many dns clients will complain like the error your seeing.
@johnpoz thank you so much for your help & being patient with me. Unfortunately the
invalid dns serverdidn't sink in before. I have everything resolved now. I am using 127.0.0.1 now instead & it makes sense. Its a security thing. Your asking for a dns address from 1 server & receiving a response from another. I had to change from the dns resolver to the dns forwarder.....again thanks -
@ncage said in Redirect DNS:
I had to change from the dns resolver to the dns forwarder..
No you do not... You can redirect just fine to the resolver.. Redirection of dns has little to do with where you redirect too.. There are multiple threads where I go over how you can redirect to a different ns on the same network, you just need to use outbound nat so that where you redirect it sends the traffic back to pfsense vs the actual client, and the pfsense can send the traffic back to the client.
Pretty sure we just had this exact same sort of thread not that long ago..
Here is one, which also has a link to another thread where went over the same thing
-
@ncage been a long day, didn’t read…but see if this helps: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
-
This is how I set mine up.
https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1671847956280
