Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redirecting DNS requests respone issue

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      z3r0_XG
      last edited by

      Hello, I've set up a rule to forward all LAN DNS requests heading externally, not coming from my internal DNS server and the pfsense itself, to redirect to my DNS server.

      This seems to be working correctly, however, I am running into issues like this:

      dig www.google.com @8.8.8.8
      ;; reply from unexpected source: 192.168.11.2#53, expected 8.8.8.8#53
      ;; reply from unexpected source: 192.168.11.2#53, expected 8.8.8.8#53
      ;; reply from unexpected source: 192.168.11.2#53, expected 8.8.8.8#53

      ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.google.com @8.8.8.8
      ;; global options: +cmd
      ;; connection timed out; no servers could be reached

      So I can see for this machine, the request was redirected to 192.168.11.2, which is the DNS server, but there does not seem to be any masquerading here, the client is aware of the redirect.

      Is there a way to set up a LAN to LAN redirect without exposing this to the client? This might just be a problem for "dig" and other applications like it, but I am worried about some of my IoT devices having issues because they can see their DNS is being redirected.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You have to masquerade the requests to the DNS server with the interface address of pfSense, so that return packets are addressed back to pfSense.

        1 Reply Last reply Reply Quote 1
        • Z
          z3r0_XG
          last edited by

          Cool, how does one go about doing that? My Google-fu is a bit weak today.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @z3r0_XG
            last edited by

            @z3r0_XG
            That can be done by outbound NAT on pfSense.

            If your outbound NAT is still in automatic mode switch into hybrid mode. Then add a new rule with settings like these:
            Interface: <that one facing to the DNS server>
            source: LAN net
            destination: <DNS servers IP>
            translation: interface address

            Z 1 Reply Last reply Reply Quote 1
            • Z
              z3r0_XG @viragomann
              last edited by

              @viragomann WORKED! TYVM -

              dig www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8

              ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62363
              ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

              ;; OPT PSEUDOSECTION:
              ; EDNS: version: 0, flags:; udp: 4096
              ;; QUESTION SECTION:
              ;www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com. IN A

              ;; AUTHORITY SECTION:
              com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1600953019 1800 900 604800 86400

              ;; Query time: 171 msec
              ;; SERVER: 8.8.8.8#53(8.8.8.8)
              ;; WHEN: Thu Sep 24 13:10:34 UTC 2020
              ;; MSG SIZE rcvd: 141

              Internal DNS log:

              Sep 24 09:10:34 dnsmasq[25829]: query[A] www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com from 192.168.11.1
              Sep 24 09:10:34 dnsmasq[25829]: forwarded www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com to 2604:6000:1529:8082:9c5d:c6ff:fe2a:ae3b
              Sep 24 09:10:34 dnsmasq[25829]: validation result is SECURE
              Sep 24 09:10:34 dnsmasq[25829]: reply www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com is NXDOMAIN

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.