Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Redirect

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MontanaIce
      last edited by

      I work at a few school sites and we have an external DNS filter that we allow DNS traffic to. However, the school administrators would like us to setup a DNS redirect to make transition easier than an outright block of DNS traffic anywhere else other than our approved DNS filter. We have non-domain devices from visitors such as cell phones or any other devices we do not control and we are asked to not completely block DNS but to redirect those device DNS requests to our internal DNS server (that is not pfSense).

      DHCP DNS settings is being used but we need to redirect all DNS queries to WAN side to redirect to a LAN DNS server. I realize the best case scenario is to force all users to to move to DHCP or to set static DNS to use those approved DNS servers but our administrators would like our users to be redirected instead of being outright blocked. How would I achieve this using NAT policies in pfSense?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        That's no magic with pfSense, if the request which are to be redirected enters pfSense on another interface as the redirection host is connected to. You need just a simple NAT rule.

        Go to Firewall > NAT > Port Forward and add a rule there:
        Interface: LAN or whatever the devices connected to
        Protocol: TCP(UDP
        Destination: any
        Destination port range: DNS
        Redirect target IP: the host IP you want to redirect DNS requests
        Redirect target port: DNS
        Description: <what you="" wan="">save it. That's all.</what>

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

          1 Reply Last reply Reply Quote 0
          • M
            MontanaIce
            last edited by

            So if I have LAN interface up and hosts on it and I have a DNS server on that same interface I would do this?

            Port Forward Rule:
            Interface: LAN
            Source: !LAN_DNS_Server
            Protocol: TCP & UDP
            Destination: Any
            Destination Port: DNS
            Redirect Target IP: LAN_DNS_Server

            The LAN DNS server needs to reach out to WAN for queries so do I need to inverse select the LAN DNS Server in the source field?

            1 Reply Last reply Reply Quote 0
            • B
              bartkowski
              last edited by

              @MontanaIce:

              So if I have LAN interface up and hosts on it and I have a DNS server on that same interface I would do this?

              Port Forward Rule:
              Interface: LAN
              Source: !LAN_DNS_Server
              Protocol: TCP & UDP
              Destination: Any
              Destination Port: DNS
              Redirect Target IP: LAN_DNS_Server

              The LAN DNS server needs to reach out to WAN for queries so do I need to inverse select the LAN DNS Server in the source field?

              No, look at the linked article again.
              Source: ANY or LAN
              Destination: !LAN_DNS_Server

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                I should have pointed out that the article I linked to wasn't an exact match for his issue, but he should be able to change the 127.0.0.1 to his LAN DNS IP and get the same result.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.