Route all DNS requests to 1 server

User40405

Hey so I am very new to pfsense. I got it installed eventually today but have not got much further… What I am trying to set up is to forward all DNS requests to ViperDNS (185.51.194.194) as some devices are hard coded to use 8.8.8.8/8.8.4.4 or other servers that I cannot find. If it is possible can someone tell me how to set that up? I have tried a few guides but they do not seem to be working. So if my phone or PC pings 8.8.8.8 it gets rerouted to 185.51.194.194 and that is the end result of that I would like set up. I would really really appreciate some info on this. Thanks so much everyone and I hope to find a solution! :)

GruensFroeschli

This wiki entry shows the general concept:
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

Apply and adjust for your own usecase.

User40405

Thanks so much, I will try it now.

User40405

Hey, can I possibly ask what they mean with this "Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost, or All interfaces."? sorry I am sure this is very simple but I really have not used it a whole bunch. I have seen "DNS Forwarder" in some menu but do not know what they want me to do with it.

GruensFroeschli

The wiki page assumes that you want to redirect traffic to your own local dns resolver / forwarder.
In your case you don't want to rewrite to the local one, but instead to another external one.

Replace the 127.0.0.1 in the NAT rule from the page with 185.51.194.194.

coxhaus

I used a different method to allow access to 2 DNS outside servers and block all other DNS access.  I used firewall rules.  Does it make any difference with pfsense in the way it is done?
Is one way faster than the other?

I included a picture of my way.

Derelict

The port forward method will resolve names no matter what DNS servers are configured on the client. Except 127.0.0.1, something on the local subnet, or something else that isn't sent to the firewall.

The method you described will limit DNS to just those servers with pass rules.

Nothing wrong with either. It just depends on what you want.

User40405

I am still struggling to get this to work. Tried both ways and it does not block other dns servers. :( I must be doing something wrong but I do not know what it is.

Derelict

Post what you've done.

User40405

Ok, so here it goes.

Background info: Modem has dns configured to 185.51.194.194

Step 1: Installed pfsense and configured it to work with 2 lan ports (one wan, other lan)
Step 2: Set DNS server on pfsense but it would simply not work (as in it was using some other local DNS server)
Step 3: Enabled DNS forwarder and DNS starts to work.
Step 4: Set Firewall Rule just like you did in that image but with DNS servers: 185.51.194.194 and 185.51.195.195
          : Here are some images: http://s15.postimg.org/jni0kp2pn/Capture.png
                                              : http://s15.postimg.org/4stf6it4r/Capture1.png
                                              : http://s15.postimg.org/mk51kz8jf/Capture2.png
                                              : http://s15.postimg.org/i22qsvshn/Capture3.png
                                              : http://s15.postimg.org/p40of2w3f/Capture4.png
                                              : http://s15.postimg.org/zct5kwk57/Capture5.png
Step 4: Tested to see if DNS servers were blocked/re routed using CMD on a Windows PC. Here is the result for the a ping to 84.200.69.80
          : Image: http://s18.postimg.org/5rfccbydl/Capture6.png

I really am not sure if I am doing something wrong so please let me know if I am :) Basically what I am trying to do is ONLY use 185.51.194.194 or 185.51.195.195 as DNS server for my whole network. I used to block some well known DNS servers such as 8.8.8.8 and 8.8.4.4 but is there any way to re route all DNS requests to those 2 servers? Here is an image to blocked 8.8.8.8 : http://s9.postimg.org/d8gbqfjgv/Capture7.png

Here is also an image of ipconfig : http://s27.postimg.org/ujgm98zab/Capture8.png

Thanks so much for the help!!

User40405

Ok so I have removed the DNS that was set on my modem. The DNS I set in pfsense is working just fine but still need to either block some IP's or re route all DNS request to that server (185.51.194.194/185.51.195.195)

User40405

Ok, think it may be working now but can someone confirm with an image here: http://s22.postimg.org/y74d0soq9/Capture.png

User40405

Nah, still no luck… I can still ping other DNS servers and traffic is being sent to other DNS servers. :(

GruensFroeschli

Well ping is ICMP.
You're making a rule for DNS (UDP port 53), not ICMP.
Of course you can still ping this address ;)

User40405

Sorry guys, think I confused myself and all of you…. Can I do this on pfsense: https://getflix.zendesk.com/hc/en-gb/articles/202281524-Block-Public-DNS-Overview
Those IP's need to be blocked basically and I really have no idea of how to do it. Router can do it but was hoping I could do it with pfsense if possible. Thanks for all the help everyone!! :)

Derelict

You sort of need to separate blocking the IP addresses and blocking DNS.

There are two methods outlined in this thread.

The first forwards all queries made to any DNS server to a specific DNS server.

The second blocks queries to all DNS servers except those specified.

It sounds like you want the former. Just because you can ping doesn't mean the DNS isn't being forwarded as specified.