Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redirect dns traffic to local dns server

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 6 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tonysud
      last edited by

      I want to redirect with pfsense all traffic from lan network (192.168.0.0/16) which goes to any:53 to local dns server 192.168.0.99

      I tried this
      https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
      changing 127.0.0.1 with 192.168.0.99 but I it seems it doesn't work internet anymore on lan

      how to do?

      1 Reply Last reply Reply Quote 0
      • jahonixJ Offline
        jahonix
        last edited by

        Don't change the localhost to something different.

        1 Reply Last reply Reply Quote 0
        • T Offline
          tonysud
          last edited by

          what I want to do is log dns queries (for example www.XXXXX.com) and also dns replies (for example 13.14.15.15, 154.52.2.6)

          please help me
          thanks

          1 Reply Last reply Reply Quote 0
          • jahonixJ Offline
            jahonix
            last edited by

            Do you use DNS resolver or DNS forwarder would be the first thing to answer.
            What does  Status | System logs  tell you in regard to DNS?

            1 Reply Last reply Reply Quote 0
            • T Offline
              tonysud
              last edited by

              with log options, dns forwarder logs dns replies (IP), dns resolver logs only hostname

              but I don't like a lot dns forwarder logging
              I'd like to have in one line: ip of internal host which has made the request, hostname requested, ip associated to that hostname

              with dns forwarder all those informations are split among many lines

              If I try to redirect with pfsense from originaldnsip to localdnsserver and then from a client I do dig hostname, I get error: reply from unexcepted source

              1 Reply Last reply Reply Quote 0
              • A Offline
                aloobibiko
                last edited by

                make firewall rule for the following
                1-Rule:pass (First)
                interface :Lan
                Source:any
                Dst:Lan address
                port:53
                2-Rule:block (second)
                interface:lan
                Source:any
                Dst:any
                Port:53
                This Two Rules will force users to use your local DNS server and not bypass it , you shloud have to set your local dns server on DHCP
                for example 192.168.1.1

                1 Reply Last reply Reply Quote 0
                • T Offline
                  tonysud
                  last edited by

                  I want to REDIRECT dns request:
                  for example, pc1 has statical ip with static dns ( for example 8.8.8.8 or any other )
                  I don't want to change any pc settings, I want only to hijack dns traffic to another server
                  I could do it with iptables, but I don't want another pc always on only to redirect dns traffic
                  please let me know if I can do this with pfsense

                  1 Reply Last reply Reply Quote 0
                  • B Offline
                    bartkowski
                    last edited by

                    I am doing that using a NAT rule and Port Forward.
                    Firewall>NAT>ADD New rule

                    Interface: LAN
                    Protocol: UDP
                    Source:  I created an Alias for one of my devices or IP address of specific device
                    Source Port: ANY

                    Destination:  INVERT MATCH  Type: LAN Address
                    Destination Port: DNS (from/to).

                    Redirect target IP:  IP of my PFSense LAN interface (e.g. 192.168.1.1)
                    Redirect target port: DNS

                    When completed, a rule will be added to Firewall/Rules/LAN called "NAT Redirect….". (1st rule)
                    Permit ANY  LAN 53(DNS) - permit DNS to pfSense on my LAN interface. (2nd rule).

                    Block ANY ANY 53(DNS) - block DNS to everything else (3rd rule)

                    1 Reply Last reply Reply Quote 0
                    • jahonixJ Offline
                      jahonix
                      last edited by

                      @tonysud:

                      If I try to redirect with pfsense from originaldnsip to localdnsserver and then from a client I do dig hostname, I get error: reply from unexcepted source

                      Are your clients configured by DHCP or static?
                      With DHCP you could just tell them 192.168.0.99 to be their DNS server.

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        tonysud
                        last edited by

                        client are statically configured
                        no dhcp

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          tonysud
                          last edited by

                          @bartkowski:

                          I am doing that using a NAT rule and Port Forward.
                          Firewall>NAT>ADD New rule

                          Interface: LAN
                          Protocol: UDP
                          Source:  I created an Alias for one of my devices or IP address of specific device

                          would it be possibile to make an alias for ALL ip in the lan?

                          I should redirects ALL client to my dns server

                          would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?

                          1 Reply Last reply Reply Quote 0
                          • B Offline
                            bartkowski
                            last edited by

                            @tonysud:

                            @bartkowski:

                            I am doing that using a NAT rule and Port Forward.
                            Firewall>NAT>ADD New rule

                            Interface: LAN
                            Protocol: UDP
                            Source:  I created an Alias for one of my devices or IP address of specific device

                            would it be possibile to make an alias for ALL ip in the lan?

                            I should redirects ALL client to my dns server

                            would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?

                            Try setting "LAN net"

                            1 Reply Last reply Reply Quote 0
                            • jahonixJ Offline
                              jahonix
                              last edited by

                              @tonysud:

                              would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?

                              If you forward within pfSense you don't gain a thing (log wise) and if you redirect it you get an "unexpected source" error.
                              Best bet is to change the client's DNS settings to the "other" machine. Would be easy if configured by DHCP.

                              So I guess you'll have to die one death or the other.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                You will have a much easier time of it if you redirect clients to a server that is not on their local subnet.

                                If that is absolutely unavoidable I would redirect them to the forwarder on localhost and tell the forwarder to use 192.168.0.99.

                                You can even put the forwarder on a custom port for this purpose so the resolver can continue to function normally if desired.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • jahonixJ Offline
                                  jahonix
                                  last edited by

                                  If I got it correctly then tonysud's main issue is with logging or how pfSense logs DNS queries.
                                  But I didn't get that from the beginning…

                                  If you have the forwarder look up at 192.168.0.99 then all queries source from pfSense and those logs do not show who made which request initially. Correct me if I'm wrong, please!

                                  1 Reply Last reply Reply Quote 0
                                  • Z Offline
                                    ziggyblur
                                    last edited by

                                    What I would do is create a separate internal network with your DNS server. Create a separate network with a /24 netmask. Ideally physically separate it to your main network. As others have suggested, you can hijack the 53 forward packets to your DNS server in your separate network.

                                    Do you have an available network interface in your pfsense router?

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.