DNS Redirect



  • I work at a few school sites and we have an external DNS filter that we allow DNS traffic to. However, the school administrators would like us to setup a DNS redirect to make transition easier than an outright block of DNS traffic anywhere else other than our approved DNS filter. We have non-domain devices from visitors such as cell phones or any other devices we do not control and we are asked to not completely block DNS but to redirect those device DNS requests to our internal DNS server (that is not pfSense).

    DHCP DNS settings is being used but we need to redirect all DNS queries to WAN side to redirect to a LAN DNS server. I realize the best case scenario is to force all users to to move to DHCP or to set static DNS to use those approved DNS servers but our administrators would like our users to be redirected instead of being outright blocked. How would I achieve this using NAT policies in pfSense?



  • That's no magic with pfSense, if the request which are to be redirected enters pfSense on another interface as the redirection host is connected to. You need just a simple NAT rule.

    Go to Firewall > NAT > Port Forward and add a rule there:
    Interface: LAN or whatever the devices connected to
    Protocol: TCP(UDP
    Destination: any
    Destination port range: DNS
    Redirect target IP: the host IP you want to redirect DNS requests
    Redirect target port: DNS
    Description: <what you="" wan="">save it. That's all.</what>





  • So if I have LAN interface up and hosts on it and I have a DNS server on that same interface I would do this?

    Port Forward Rule:
    Interface: LAN
    Source: !LAN_DNS_Server
    Protocol: TCP & UDP
    Destination: Any
    Destination Port: DNS
    Redirect Target IP: LAN_DNS_Server

    The LAN DNS server needs to reach out to WAN for queries so do I need to inverse select the LAN DNS Server in the source field?



  • @MontanaIce:

    So if I have LAN interface up and hosts on it and I have a DNS server on that same interface I would do this?

    Port Forward Rule:
    Interface: LAN
    Source: !LAN_DNS_Server
    Protocol: TCP & UDP
    Destination: Any
    Destination Port: DNS
    Redirect Target IP: LAN_DNS_Server

    The LAN DNS server needs to reach out to WAN for queries so do I need to inverse select the LAN DNS Server in the source field?

    No, look at the linked article again.
    Source: ANY or LAN
    Destination: !LAN_DNS_Server



  • I should have pointed out that the article I linked to wasn't an exact match for his issue, but he should be able to change the 127.0.0.1 to his LAN DNS IP and get the same result.


Log in to reply