DNS Port Forward Inglês DOES NOT REDIRECT

frawnsmoc · Apr 10, 2025, 1:57 PM

Well, I've tried almost everything, I have a network with pfsense 2.7.2 with pfBlockerNG 3.2.0_8 the problem is that some users are changing the DNS IP to 8.8.8.8 or 1.1.1.1 and 208.67.222.222 with this passing through the blocks, I've been trying for days how to do the NAT redirection to pfsense 127.0.0.1 or 10.0.1.1 pfsense IP without success every time it passes if I put the block it blocks the navigation and does not redirect

mcury · Apr 10, 2025, 2:05 PM

@frawnsmoc https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

frawnsmoc · Apr 10, 2025, 2:16 PM

@mcury It was the first one I tried and it goes through normally without redirecting

AndyRH · Apr 10, 2025, 2:17 PM

This is my solution using PiHole. Will also work using pfSense.

https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1663853296484

mcury · Apr 10, 2025, 2:29 PM

Redirect IP 10.0.1.1 and NAT IP 10.0.1.1 ?

Here it is working:

frawnsmoc · Apr 10, 2025, 5:18 PM

@mcury
see the two examples I did the same as you showed me the first answer was that it is going straight through without the redirection it should have the same msg as the 2nd test I did but forcing the pfsense IP

mcury · Apr 10, 2025, 5:23 PM

@frawnsmoc

Create a host override in pfSense, then test for that host.
Like my example, iphone.home.arpa is only known to my DNS server, so, even when I asked 8.8.8.8 to resolve it, I got an answer from my local DNS server.

frawnsmoc · Apr 10, 2025, 5:58 PM

@mcury
unfortunately the same response goes straight to DNS. Google, is there something I'm doing wrong because if I set it to block it works but I would have to go to all the computers and set the DNS, but it wouldn't solve the problem that comes back, people go and change it again even if it crashes, so I have to stay focused to fix it and redirecting all the traffic 53 to pfsense would solve it because I could change it to any other one that wouldn't make a difference

mcury · Apr 10, 2025, 8:23 PM

@frawnsmoc I think you misunderstood me, the idea of the host override is to confirm if the DNS is being redirected, and not create a host override for google.

Perhaps perform a packet capture on localhost in pfSense, UDP port 53 and test with the nslookup again.

frawnsmoc · Apr 11, 2025, 1:22 PM

@mcury I've already done this, I tested it and it goes straight through until I thought it was a problem with the NAT, but there are security cameras using the NAT perfectly.

I did a generic test with a generic port for 8.8.8.8:12345 and 127.0.0.1:12345 intercept or 10.0.1.1:12345 the nat will not

mcury · Apr 11, 2025, 1:22 PM

@frawnsmoc said in DNS Port Forward Inglês DOES NOT REDIRECT:

@mcury I've already done this, I tested it and it goes straight through until I thought it was a problem with the NAT, but there are security cameras using the NAT perfectly.

I did a generic test with a generic port for 8.8.8.8:12345 and 127.0.0.1:12345 intercept or 10.0.1.1:12345 the nat will not

Perform a packet capture on the WAN interface, select host 8.8.8.8 and UDP port 53.
Then test again, if the packet capture is empty, it is redirecting it.

frawnsmoc · Apr 14, 2025, 1:36 PM

@mcury replace pfsense with mikrotik matter solved pfsense has this bug

mcury · Apr 14, 2025, 1:46 PM

@frawnsmoc said in DNS Port Forward Inglês DOES NOT REDIRECT:

replace pfsense with mikrotik matter solved pfsense has this bug

ok