Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help redirect DNS queries from any device to a VPN DNS through the tun interface

    Scheduled Pinned Locked Moved DHCP and DNS
    16 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hbbs
      last edited by hbbs

      I have tried this to block my NSTV to use 8.8.8.8 to no avail

      If: LAN
      Proto: TCP/UDP
      Src:192.168.1.50
      Src ports: *
      Dest addr: ! LAN address
      Dest. ports: 53 (DNS)
      NAT IP: 10.27.84.1
      NAT ports: 53 (DNS)
      Descripion: Redirect DNS

      But this is what happened when I tried to open netflix for the sake of testing because I know it would sought Google's DNS.

      22:39:26.843477 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 25791 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142)
22:39:34.104360 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 22983+ A? anycast.ftl.netflix.com. (41)
22:39:34.104370 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 30840+ A? anycast.ftl.netflix.com. (41)
22:39:34.105032 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 51366+ A? afol2mxrlfchlcdunmapg.r.nflxso.net. (52)
22:39:34.105041 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 21478+ A? afol2mxrlfchlcdunmapg.r.nflxso.net. (52)
22:39:34.105511 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 48384+ A? ipv4-c048-was001-ix.1.oca.nflxvideo.net. (57)
22:39:34.105521 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 57127+ A? ipv4-c048-was001-ix.1.oca.nflxvideo.net. (57)
22:39:34.105984 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 47260+ A? oca-api.netflix.com. (37)
22:39:34.105993 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 65331+ A? oca-api.netflix.com. (37)
22:39:34.303376 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 30840 1/0/0 A 66.42.99.246 (57)
22:39:34.303472 IP 10.27.84.1.domain > NSTV.localdomain.40568: 22983 1/0/0 A 66.42.99.246 (57)
22:39:34.303589 IP 10.27.84.1.domain > NSTV.localdomain.40568: 57127 1/0/0 A 66.42.99.246 (73)
22:39:34.303685 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 21478 1/0/0 A 66.42.99.246 (68)
22:39:34.303778 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 48384 1/0/0 A 66.42.99.246 (73)
22:39:34.303879 IP 10.27.84.1.domain > NSTV.localdomain.40568: 51366 1/0/0 A 66.42.99.246 (68)
22:39:34.305235 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 65331 1/0/0 A 66.42.99.246 (53)
22:39:34.305333 IP 10.27.84.1.domain > NSTV.localdomain.40568: 47260 1/0/0 A 66.42.99.246 (53)

      How can I specifically enforce that queries to Google's DNS are denied?

      PS: you guys probably know that but anyway. I'm gonna register: google-public-dns-a.google.com is 8.8.8.8 and google-public-dns-b.google.com is 8.8.4.4

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @hbbs said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:

        If: LAN
        Proto: TCP/UDP
        Src:192.168.1.50
        Src ports: *
        Dest addr: any
        Dest. ports: 53 (DNS)
        NAT IP: 10.27.84.1
        NAT ports: 53 (DNS)
        Descripion: Redirect DNS

        You will still see google DNS in a packet capture on LAN because that is what is being captured before NAT happens.

        As I have said at least twice now already, if you don't want the device to use 8.8.8.8, don't tell it to use 8.8.8.8 in DHCP or its static configuration.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        H 1 Reply Last reply Reply Quote 0
        • H
          hbbs @Derelict
          last edited by

          @derelict said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:

          @hbbs said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:

          If: LAN
          Proto: TCP/UDP
          Src:192.168.1.50
          Src ports: *
          Dest addr: any
          Dest. ports: 53 (DNS)
          NAT IP: 10.27.84.1
          NAT ports: 53 (DNS)
          Descripion: Redirect DNS

          You will still see google DNS in a packet capture on LAN because that is what is being captured before NAT happens.

          That explains a lot.

          As I have said at least twice now already, if you don't want the device to use 8.8.8.8, don't tell it to use 8.8.8.8 in DHCP or its static configuration.

          I will show you my DHCP static configuration for my NSTV. it is already in place since the first time you mentioned. Maybe I did something wrong.

          https://i.imgur.com/eoEWw4H.png
          https://i.imgur.com/EVsIxlm.png

          (I have erased MAC addresses)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That looks OK to me. If that record is in place, and you have verified that it is actually getting the IP address specified, and the NSTV still insists on using 8.8.8.8 I'm not sure what to tell you there. Probably a question for them.

            (I have erased MAC addresses)

            (Because everyone on the internet cares about what your MAC address is...)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            H 1 Reply Last reply Reply Quote 0
            • H
              hbbs @Derelict
              last edited by

              @derelict It is in place. I believe.

              All I was trying to do was to pre-route Google DNSs to my VPN DNS (tun)

              Is there a place that I can certify that NAT is actually doing what it is supposed to do?

              I was tcpdump -i igb1 host xxxxx and port 53 to provide those logs.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Packet capture on the OpenVPN interface instead. That will show you what's going out to them.

                You can also put a rule after one that passes the NAT traffic that blocks all traffic from 192.168.1.50 to destination any tcp/udp port 53.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • H
                  hbbs
                  last edited by

                  I did a tcpdump on port 53 on my vpn interface and got this:

                  00:42:02.827307 IP 10.27.84.1.domain > 10.27.84.249.39795: 29569 1/0/0 A 66.42.99.246 (56)
00:42:02.906872 IP 10.27.84.249.34368 > 10.27.84.1.domain: 23591+ A? nrdp51-appboot.netflix.com. (44)
00:42:02.907060 IP 10.27.84.249.34368 > 10.27.84.1.domain: 55629+ A? nrdp.nccp.netflix.com. (39)
00:42:02.907093 IP 10.27.84.249.7390 > 10.27.84.1.domain: 31611+ A? nrdp51-appboot.netflix.com. (44)
00:42:02.907120 IP 10.27.84.249.7390 > 10.27.84.1.domain: 34021+ A? nrdp.nccp.netflix.com. (39)
00:42:02.907129 IP 10.27.84.249.34368 > 10.27.84.1.domain: 17504+ A? api-global.netflix.com. (40)
00:42:02.907144 IP 10.27.84.249.7390 > 10.27.84.1.domain: 39867+ A? api-global.netflix.com. (40)
00:42:02.907195 IP 10.27.84.249.34368 > 10.27.84.1.domain: 46528+ A? secure.netflix.com. (36)
00:42:02.907242 IP 10.27.84.249.7390 > 10.27.84.1.domain: 51047+ A? secure.netflix.com. (36)
00:42:02.907280 IP 10.27.84.249.34368 > 10.27.84.1.domain: 61543+ A? uiboot.netflix.com. (36)
00:42:02.907299 IP 10.27.84.249.7390 > 10.27.84.1.domain: 20687+ A? uiboot.netflix.com. (36)
00:42:02.907346 IP 10.27.84.249.34368 > 10.27.84.1.domain: 48774+ A? customerevents.netflix.com. (44)
00:42:02.907390 IP 10.27.84.249.7390 > 10.27.84.1.domain: 51754+ A? customerevents.netflix.com. (44)
00:42:02.907435 IP 10.27.84.249.34368 > 10.27.84.1.domain: 40262+ A? ichnaea.netflix.com. (37)
00:42:02.907450 IP 10.27.84.249.7390 > 10.27.84.1.domain: 18368+ A? ichnaea.netflix.com. (37)
00:42:02.907497 IP 10.27.84.249.34368 > 10.27.84.1.domain: 17987+ A? cdn-0.nflximg.com. (35)
00:42:02.907542 IP 10.27.84.249.7390 > 10.27.84.1.domain: 21859+ A? cdn-0.nflximg.com. (35)
00:42:03.051651 IP 10.27.84.1.domain > 10.27.84.249.34368: 17504 1/0/0 A 66.42.99.246 (56)
00:42:03.051824 IP 10.27.84.1.domain > 10.27.84.249.7390: 39867 1/0/0 A 66.42.99.246 (56)
00:42:03.053581 IP 10.27.84.1.domain > 10.27.84.249.34368: 40262 1/0/0 A 66.42.99.246 (53)
00:42:03.054631 IP 10.27.84.1.domain > 10.27.84.249.7390: 18368 1/0/0 A 66.42.99.246 (53)
00:42:03.062142 IP 10.27.84.1.domain > 10.27.84.249.34368: 17987 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142)
00:42:03.062322 IP 10.27.84.1.domain > 10.27.84.249.7390: 21859 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142)
00:42:03.105733 IP 10.27.84.1.domain > 10.27.84.249.7390: 31611 1/0/0 A 66.42.99.246 (60)
00:42:03.105869 IP 10.27.84.1.domain > 10.27.84.249.34368: 23591 1/0/0 A 66.42.99.246 (60)
00:42:03.105972 IP 10.27.84.1.domain > 10.27.84.249.7390: 34021 1/0/0 A 66.42.99.246 (55)
00:42:03.106072 IP 10.27.84.1.domain > 10.27.84.249.34368: 55629 1/0/0 A 66.42.99.246 (55)
00:42:03.107169 IP 10.27.84.1.domain > 10.27.84.249.7390: 51047 1/0/0 A 66.42.99.246 (52)
00:42:03.107273 IP 10.27.84.1.domain > 10.27.84.249.34368: 46528 1/0/0 A 66.42.99.246 (52)
00:42:03.107657 IP 10.27.84.1.domain > 10.27.84.249.7390: 20687 1/0/0 A 66.42.99.246 (52)
00:42:03.107800 IP 10.27.84.1.domain > 10.27.84.249.7390: 51754 1/0/0 A 66.42.99.246 (60)
00:42:03.107959 IP 10.27.84.1.domain > 10.27.84.249.34368: 61543 1/0/0 A 66.42.99.246 (52)
00:42:03.108099 IP 10.27.84.1.domain > 10.27.84.249.34368: 48774 1/0/0 A 66.42.99.246 (60)
00:42:10.098505 IP 10.27.84.249.34368 > 10.27.84.1.domain: 39591+ A? occ-0-2430-2433.1.nflxso.net. (46)
00:42:10.098516 IP 10.27.84.249.7390 > 10.27.84.1.domain: 45801+ A? occ-0-2430-2433.1.nflxso.net. (46)
00:42:10.298125 IP 10.27.84.1.domain > 10.27.84.249.7390: 45801 1/0/0 A 66.42.99.246 (62)
00:42:10.298286 IP 10.27.84.1.domain > 10.27.84.249.34368: 39591 1/0/0 A 66.42.99.246 (62)
00:42:12.182289 IP 10.27.84.249.34368 > 10.27.84.1.domain: 35460+ A? ipv4-c087-was001-ix.1.oca.nflxvideo.net. (57)
00:42:12.182327 IP 10.27.84.249.7390 > 10.27.84.1.domain: 61471+ A? ipv4-c087-was001-ix.1.oca.nflxvideo.net. (57)
00:42:12.381842 IP 10.27.84.1.domain > 10.27.84.249.7390: 61471 1/0/0 A 66.42.99.246 (73)
00:42:12.381980 IP 10.27.84.1.domain > 10.27.84.249.34368: 35460 1/0/0 A 66.42.99.246 (73

                  you see anything wrong? I couldn't

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Looks OK if you want DNS going to 10.27.84.1.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    H 1 Reply Last reply Reply Quote 0
                    • H
                      hbbs @Derelict
                      last edited by

                      @derelict This is my VPN Gateway.

                      Is there a possibility that NSTV, Roku are resolving stuff before it gets to the VPN?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        I have no idea what NSTV or Roku do.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        H 1 Reply Last reply Reply Quote 0
                        • H
                          hbbs @Derelict
                          last edited by

                          @derelict they pre-route traffic. Roku has the Google DNS "hardcoded" and NSTV apparently does it as well. At least Netflix does. Chromecast does it as well, btw.

                          But thanks for your help. I will try to get more info before I post here again.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.