[SOLVED] Could not get DNS intercept work with NAT



  • Hello,

    I need some backup with a NAT issue as I'm struggling with intercepting DNS traffic and redirecting to my local DNS server without any luck, however this should be quite simple.

    What I did:

    Firewall -> NAT -> Port Forward -> Add rule
    Interface: LAN
    Protocol: TCP/UDP
    Source: Invert match - single host/alias - localdns (localdns is an alias pointing to the IP of my local dns server)

    Destination: any
    Port: DNS
    Redirect IP: localdns
    Redirect Port: DNS

    I have a FW rule to allow my localdns server to access external forwarders and set logging when this rule used.
    It's interesting, when I try to open something in the browser on a workstation (on the LAN), I see my localdns server access the forwarder, but the workstation report dns resolve issues and cannot open anything. Seems to be something like the answer doesn't come back to the workstation from the localdns server (assimetrical routing issue maybe?)

    Thanks for your help.

    [SOLVED]
      Solution: Activated DNS forwarder on pfSense (upstream is the DNS Server on LAN) and enforced all port 53 client requests to pfSense LAN IP or localhost instead of DNS server.



  • Use the DNS forwarder of pfSense instead.
    In the General Settup only set your internal DNS server, so it will use only this one for DNS queries and change the destination of the NAT forwarding rule to localhost:
    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense



  • @viragomann:

    Use the DNS forwarder of pfSense instead.

    Thanks for your answer, but I need a soluion without bringing the DNS role to pfSense.

    Reason:  there's a Pi-Hole deployed on the local network which must handle all DNS request in the first hand. I did not find any solution yet which provides similar performance and comfort (in case of blocking 500 000+ dns entries with reasonable performance)… but this is another story.

    The feature I need is called something like DNS Filtering in the Merlin distros of AsusWRT for instance.

    The LAN deployed DNS server works fine (DNS server IP distributed with psSense DHCP), however there are some clients which have hardcoded DNS server IPs in the firmware (like Google or own DNS servers). It must be ensured that all DNS request from the LAN go to the local server first.



  • Use pfSense for DNS.  Get all clients to use pfSense for DNS.  Configure pfSense upstream DNS to be your pihole.  Redirect all DNS requests to pfSense as per the linked document.



  • I can't see what's the problem with that solution. Your devices with hardcoded DNS servers get the DNS infos from pfSense and pfSense pulls it from your internal DNS server.

    However, if you want to direct the DNS requests directly to the DNS server, you can achieve this by moving the DNS server from LAN into a transfer network connected to pfSense. This may also be a VLAN within to the existing LAN.



  • @viragomann:

    I can't see what's the problem with that solution.

    There is no problem with it, just wanted to save an extra hop. In the other hand, I was curious about how to solve this problem as did not know the reason why it's not working. I just missed the network topic from my life, therefore started practice a bit and try to understand how these things work.

    Anyway, finally configured the way as suggested and seems to be working fine, however the redirect IP had to be set to the LAN address of pfSense in the port forward rule and not to the loopback address 127.0.0.1 (instructions in the linked document). It was not working that way at all.

    Current setup:

    • pfSense with activated DNS Forwarder service
    • local Pi-Hole DNS server acts as an upstream server (Confgured in System\General Setup)
    • There's a redirect rule under Firewall\NAT to catch all DNS traffic from LAN clients where the SRC is not the Pi-Hole DNS server and the DST is not the pfSense LAN interface.

    Thanks a lot for your support, both of you.



  • You mentioned the reason for your issue by yourself: you got an asymmetric routing.

    Your LAN device was sent DNS a request to a public server, pfSense forwarded it to your internal DNS, but the internal DNS server sent the response directly to the requesting LAN device. So the response was coming from another IP than the request was sent to and so the DNS client was ignoring it.

    Now responses come from pfSense, which translates the source address back into the destination address of the request packets.

    @dean2028:

    however the redirect IP had to be set to the LAN address of pfSense in the port forward rule and not to the loopback address 127.0.0.1 (instructions in the linked document). It was not working that way at all.

    Have you configured the DNS resolver to listen on localhost or all interfaces as suggested in the doc?



  • @viragomann:

    Have you configured the DNS resolver to listen on localhost or all interfaces as suggested in the doc?

    No, I missed that. Thanks for pointing out. That solves the issue.


Log in to reply