Help redirect DNS queries from any device to a VPN DNS through the tun interface
-
@hbbs said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:
If: LAN
Proto: TCP/UDP
Src:192.168.1.50
Src ports: *
Dest addr: any
Dest. ports: 53 (DNS)
NAT IP: 10.27.84.1
NAT ports: 53 (DNS)
Descripion: Redirect DNSYou will still see google DNS in a packet capture on LAN because that is what is being captured before NAT happens.
As I have said at least twice now already, if you don't want the device to use 8.8.8.8, don't tell it to use 8.8.8.8 in DHCP or its static configuration.
-
@derelict said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:
@hbbs said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:
If: LAN
Proto: TCP/UDP
Src:192.168.1.50
Src ports: *
Dest addr: any
Dest. ports: 53 (DNS)
NAT IP: 10.27.84.1
NAT ports: 53 (DNS)
Descripion: Redirect DNSYou will still see google DNS in a packet capture on LAN because that is what is being captured before NAT happens.
That explains a lot.
As I have said at least twice now already, if you don't want the device to use 8.8.8.8, don't tell it to use 8.8.8.8 in DHCP or its static configuration.
I will show you my DHCP static configuration for my NSTV. it is already in place since the first time you mentioned. Maybe I did something wrong.
https://i.imgur.com/eoEWw4H.png
https://i.imgur.com/EVsIxlm.png(I have erased MAC addresses)
-
That looks OK to me. If that record is in place, and you have verified that it is actually getting the IP address specified, and the NSTV still insists on using 8.8.8.8 I'm not sure what to tell you there. Probably a question for them.
(I have erased MAC addresses)
(Because everyone on the internet cares about what your MAC address is...)
-
@derelict It is in place. I believe.
All I was trying to do was to pre-route Google DNSs to my VPN DNS (tun)
Is there a place that I can certify that NAT is actually doing what it is supposed to do?
I was tcpdump -i igb1 host xxxxx and port 53 to provide those logs.
-
Packet capture on the OpenVPN interface instead. That will show you what's going out to them.
You can also put a rule after one that passes the NAT traffic that blocks all traffic from 192.168.1.50 to destination any tcp/udp port 53.
-
I did a tcpdump on port 53 on my vpn interface and got this:
00:42:02.827307 IP 10.27.84.1.domain > 10.27.84.249.39795: 29569 1/0/0 A 66.42.99.246 (56) 00:42:02.906872 IP 10.27.84.249.34368 > 10.27.84.1.domain: 23591+ A? nrdp51-appboot.netflix.com. (44) 00:42:02.907060 IP 10.27.84.249.34368 > 10.27.84.1.domain: 55629+ A? nrdp.nccp.netflix.com. (39) 00:42:02.907093 IP 10.27.84.249.7390 > 10.27.84.1.domain: 31611+ A? nrdp51-appboot.netflix.com. (44) 00:42:02.907120 IP 10.27.84.249.7390 > 10.27.84.1.domain: 34021+ A? nrdp.nccp.netflix.com. (39) 00:42:02.907129 IP 10.27.84.249.34368 > 10.27.84.1.domain: 17504+ A? api-global.netflix.com. (40) 00:42:02.907144 IP 10.27.84.249.7390 > 10.27.84.1.domain: 39867+ A? api-global.netflix.com. (40) 00:42:02.907195 IP 10.27.84.249.34368 > 10.27.84.1.domain: 46528+ A? secure.netflix.com. (36) 00:42:02.907242 IP 10.27.84.249.7390 > 10.27.84.1.domain: 51047+ A? secure.netflix.com. (36) 00:42:02.907280 IP 10.27.84.249.34368 > 10.27.84.1.domain: 61543+ A? uiboot.netflix.com. (36) 00:42:02.907299 IP 10.27.84.249.7390 > 10.27.84.1.domain: 20687+ A? uiboot.netflix.com. (36) 00:42:02.907346 IP 10.27.84.249.34368 > 10.27.84.1.domain: 48774+ A? customerevents.netflix.com. (44) 00:42:02.907390 IP 10.27.84.249.7390 > 10.27.84.1.domain: 51754+ A? customerevents.netflix.com. (44) 00:42:02.907435 IP 10.27.84.249.34368 > 10.27.84.1.domain: 40262+ A? ichnaea.netflix.com. (37) 00:42:02.907450 IP 10.27.84.249.7390 > 10.27.84.1.domain: 18368+ A? ichnaea.netflix.com. (37) 00:42:02.907497 IP 10.27.84.249.34368 > 10.27.84.1.domain: 17987+ A? cdn-0.nflximg.com. (35) 00:42:02.907542 IP 10.27.84.249.7390 > 10.27.84.1.domain: 21859+ A? cdn-0.nflximg.com. (35) 00:42:03.051651 IP 10.27.84.1.domain > 10.27.84.249.34368: 17504 1/0/0 A 66.42.99.246 (56) 00:42:03.051824 IP 10.27.84.1.domain > 10.27.84.249.7390: 39867 1/0/0 A 66.42.99.246 (56) 00:42:03.053581 IP 10.27.84.1.domain > 10.27.84.249.34368: 40262 1/0/0 A 66.42.99.246 (53) 00:42:03.054631 IP 10.27.84.1.domain > 10.27.84.249.7390: 18368 1/0/0 A 66.42.99.246 (53) 00:42:03.062142 IP 10.27.84.1.domain > 10.27.84.249.34368: 17987 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142) 00:42:03.062322 IP 10.27.84.1.domain > 10.27.84.249.7390: 21859 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142) 00:42:03.105733 IP 10.27.84.1.domain > 10.27.84.249.7390: 31611 1/0/0 A 66.42.99.246 (60) 00:42:03.105869 IP 10.27.84.1.domain > 10.27.84.249.34368: 23591 1/0/0 A 66.42.99.246 (60) 00:42:03.105972 IP 10.27.84.1.domain > 10.27.84.249.7390: 34021 1/0/0 A 66.42.99.246 (55) 00:42:03.106072 IP 10.27.84.1.domain > 10.27.84.249.34368: 55629 1/0/0 A 66.42.99.246 (55) 00:42:03.107169 IP 10.27.84.1.domain > 10.27.84.249.7390: 51047 1/0/0 A 66.42.99.246 (52) 00:42:03.107273 IP 10.27.84.1.domain > 10.27.84.249.34368: 46528 1/0/0 A 66.42.99.246 (52) 00:42:03.107657 IP 10.27.84.1.domain > 10.27.84.249.7390: 20687 1/0/0 A 66.42.99.246 (52) 00:42:03.107800 IP 10.27.84.1.domain > 10.27.84.249.7390: 51754 1/0/0 A 66.42.99.246 (60) 00:42:03.107959 IP 10.27.84.1.domain > 10.27.84.249.34368: 61543 1/0/0 A 66.42.99.246 (52) 00:42:03.108099 IP 10.27.84.1.domain > 10.27.84.249.34368: 48774 1/0/0 A 66.42.99.246 (60) 00:42:10.098505 IP 10.27.84.249.34368 > 10.27.84.1.domain: 39591+ A? occ-0-2430-2433.1.nflxso.net. (46) 00:42:10.098516 IP 10.27.84.249.7390 > 10.27.84.1.domain: 45801+ A? occ-0-2430-2433.1.nflxso.net. (46) 00:42:10.298125 IP 10.27.84.1.domain > 10.27.84.249.7390: 45801 1/0/0 A 66.42.99.246 (62) 00:42:10.298286 IP 10.27.84.1.domain > 10.27.84.249.34368: 39591 1/0/0 A 66.42.99.246 (62) 00:42:12.182289 IP 10.27.84.249.34368 > 10.27.84.1.domain: 35460+ A? ipv4-c087-was001-ix.1.oca.nflxvideo.net. (57) 00:42:12.182327 IP 10.27.84.249.7390 > 10.27.84.1.domain: 61471+ A? ipv4-c087-was001-ix.1.oca.nflxvideo.net. (57) 00:42:12.381842 IP 10.27.84.1.domain > 10.27.84.249.7390: 61471 1/0/0 A 66.42.99.246 (73) 00:42:12.381980 IP 10.27.84.1.domain > 10.27.84.249.34368: 35460 1/0/0 A 66.42.99.246 (73
you see anything wrong? I couldn't
-
Looks OK if you want DNS going to 10.27.84.1.
-
@derelict This is my VPN Gateway.
Is there a possibility that NSTV, Roku are resolving stuff before it gets to the VPN?
-
I have no idea what NSTV or Roku do.
-
@derelict they pre-route traffic. Roku has the Google DNS "hardcoded" and NSTV apparently does it as well. At least Netflix does. Chromecast does it as well, btw.
But thanks for your help. I will try to get more info before I post here again.