Redirect dns traffic to local dns server



  • I want to redirect with pfsense all traffic from lan network (192.168.0.0/16) which goes to any:53 to local dns server 192.168.0.99

    I tried this
    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
    changing 127.0.0.1 with 192.168.0.99 but I it seems it doesn't work internet anymore on lan

    how to do?



  • Don't change the localhost to something different.



  • what I want to do is log dns queries (for example www.XXXXX.com) and also dns replies (for example 13.14.15.15, 154.52.2.6)

    please help me
    thanks



  • Do you use DNS resolver or DNS forwarder would be the first thing to answer.
    What does  Status | System logs  tell you in regard to DNS?



  • with log options, dns forwarder logs dns replies (IP), dns resolver logs only hostname

    but I don't like a lot dns forwarder logging
    I'd like to have in one line: ip of internal host which has made the request, hostname requested, ip associated to that hostname

    with dns forwarder all those informations are split among many lines

    If I try to redirect with pfsense from originaldnsip to localdnsserver and then from a client I do dig hostname, I get error: reply from unexcepted source



  • make firewall rule for the following
    1-Rule:pass (First)
    interface :Lan
    Source:any
    Dst:Lan address
    port:53
    2-Rule:block (second)
    interface:lan
    Source:any
    Dst:any
    Port:53
    This Two Rules will force users to use your local DNS server and not bypass it , you shloud have to set your local dns server on DHCP
    for example 192.168.1.1



  • I want to REDIRECT dns request:
    for example, pc1 has statical ip with static dns ( for example 8.8.8.8 or any other )
    I don't want to change any pc settings, I want only to hijack dns traffic to another server
    I could do it with iptables, but I don't want another pc always on only to redirect dns traffic
    please let me know if I can do this with pfsense



  • I am doing that using a NAT rule and Port Forward.
    Firewall>NAT>ADD New rule

    Interface: LAN
    Protocol: UDP
    Source:  I created an Alias for one of my devices or IP address of specific device
    Source Port: ANY

    Destination:  INVERT MATCH  Type: LAN Address
    Destination Port: DNS (from/to).

    Redirect target IP:  IP of my PFSense LAN interface (e.g. 192.168.1.1)
    Redirect target port: DNS

    When completed, a rule will be added to Firewall/Rules/LAN called "NAT Redirect….". (1st rule)
    Permit ANY  LAN 53(DNS) - permit DNS to pfSense on my LAN interface. (2nd rule).

    Block ANY ANY 53(DNS) - block DNS to everything else (3rd rule)



  • @tonysud:

    If I try to redirect with pfsense from originaldnsip to localdnsserver and then from a client I do dig hostname, I get error: reply from unexcepted source

    Are your clients configured by DHCP or static?
    With DHCP you could just tell them 192.168.0.99 to be their DNS server.



  • client are statically configured
    no dhcp



  • @bartkowski:

    I am doing that using a NAT rule and Port Forward.
    Firewall>NAT>ADD New rule

    Interface: LAN
    Protocol: UDP
    Source:  I created an Alias for one of my devices or IP address of specific device

    would it be possibile to make an alias for ALL ip in the lan?

    I should redirects ALL client to my dns server

    would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?



  • @tonysud:

    @bartkowski:

    I am doing that using a NAT rule and Port Forward.
    Firewall>NAT>ADD New rule

    Interface: LAN
    Protocol: UDP
    Source:  I created an Alias for one of my devices or IP address of specific device

    would it be possibile to make an alias for ALL ip in the lan?

    I should redirects ALL client to my dns server

    would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?

    Try setting "LAN net"



  • @tonysud:

    would it be possibile to use as dns server not pfsense itself but the dns installed on another machine?

    If you forward within pfSense you don't gain a thing (log wise) and if you redirect it you get an "unexpected source" error.
    Best bet is to change the client's DNS settings to the "other" machine. Would be easy if configured by DHCP.

    So I guess you'll have to die one death or the other.


  • LAYER 8 Netgate

    You will have a much easier time of it if you redirect clients to a server that is not on their local subnet.

    If that is absolutely unavoidable I would redirect them to the forwarder on localhost and tell the forwarder to use 192.168.0.99.

    You can even put the forwarder on a custom port for this purpose so the resolver can continue to function normally if desired.



  • If I got it correctly then tonysud's main issue is with logging or how pfSense logs DNS queries.
    But I didn't get that from the beginning…

    If you have the forwarder look up at 192.168.0.99 then all queries source from pfSense and those logs do not show who made which request initially. Correct me if I'm wrong, please!



  • What I would do is create a separate internal network with your DNS server. Create a separate network with a /24 netmask. Ideally physically separate it to your main network. As others have suggested, you can hijack the 53 forward packets to your DNS server in your separate network.

    Do you have an available network interface in your pfsense router?


Log in to reply