Redirect dns traffic to local dns server
-
Don't change the localhost to something different.
-
what I want to do is log dns queries (for example www.XXXXX.com) and also dns replies (for example 13.14.15.15, 154.52.2.6)
please help me
thanks -
Do you use DNS resolver or DNS forwarder would be the first thing to answer.
What does Status | System logs tell you in regard to DNS? -
with log options, dns forwarder logs dns replies (IP), dns resolver logs only hostname
but I don't like a lot dns forwarder logging
I'd like to have in one line: ip of internal host which has made the request, hostname requested, ip associated to that hostnamewith dns forwarder all those informations are split among many lines
If I try to redirect with pfsense from originaldnsip to localdnsserver and then from a client I do dig hostname, I get error: reply from unexcepted source
-
make firewall rule for the following
1-Rule:pass (First)
interface :Lan
Source:any
Dst:Lan address
port:53
2-Rule:block (second)
interface:lan
Source:any
Dst:any
Port:53
This Two Rules will force users to use your local DNS server and not bypass it , you shloud have to set your local dns server on DHCP
for example 192.168.1.1 -
I want to REDIRECT dns request:
for example, pc1 has statical ip with static dns ( for example 8.8.8.8 or any other )
I don't want to change any pc settings, I want only to hijack dns traffic to another server
I could do it with iptables, but I don't want another pc always on only to redirect dns traffic
please let me know if I can do this with pfsense -
I am doing that using a NAT rule and Port Forward.
Firewall>NAT>ADD New ruleInterface: LAN
Protocol: UDP
Source: I created an Alias for one of my devices or IP address of specific device
Source Port: ANYDestination: INVERT MATCH Type: LAN Address
Destination Port: DNS (from/to).Redirect target IP: IP of my PFSense LAN interface (e.g. 192.168.1.1)
Redirect target port: DNSWhen completed, a rule will be added to Firewall/Rules/LAN called "NAT Redirect….". (1st rule)
Permit ANY LAN 53(DNS) - permit DNS to pfSense on my LAN interface. (2nd rule).Block ANY ANY 53(DNS) - block DNS to everything else (3rd rule)
-
If I try to redirect with pfsense from originaldnsip to localdnsserver and then from a client I do dig hostname, I get error: reply from unexcepted source
Are your clients configured by DHCP or static?
With DHCP you could just tell them 192.168.0.99 to be their DNS server. -
client are statically configured
no dhcp -
I am doing that using a NAT rule and Port Forward.
Firewall>NAT>ADD New ruleInterface: LAN
Protocol: UDP
Source: I created an Alias for one of my devices or IP address of specific devicewould it be possibile to make an alias for ALL ip in the lan?
I should redirects ALL client to my dns server
would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?
-
I am doing that using a NAT rule and Port Forward.
Firewall>NAT>ADD New ruleInterface: LAN
Protocol: UDP
Source: I created an Alias for one of my devices or IP address of specific devicewould it be possibile to make an alias for ALL ip in the lan?
I should redirects ALL client to my dns server
would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?
Try setting "LAN net"
-
would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?
If you forward within pfSense you don't gain a thing (log wise) and if you redirect it you get an "unexpected source" error.
Best bet is to change the client's DNS settings to the "other" machine. Would be easy if configured by DHCP.So I guess you'll have to die one death or the other.
-
You will have a much easier time of it if you redirect clients to a server that is not on their local subnet.
If that is absolutely unavoidable I would redirect them to the forwarder on localhost and tell the forwarder to use 192.168.0.99.
You can even put the forwarder on a custom port for this purpose so the resolver can continue to function normally if desired.
-
If I got it correctly then tonysud's main issue is with logging or how pfSense logs DNS queries.
But I didn't get that from the beginning…If you have the forwarder look up at 192.168.0.99 then all queries source from pfSense and those logs do not show who made which request initially. Correct me if I'm wrong, please!
-
What I would do is create a separate internal network with your DNS server. Create a separate network with a /24 netmask. Ideally physically separate it to your main network. As others have suggested, you can hijack the 53 forward packets to your DNS server in your separate network.
Do you have an available network interface in your pfsense router?