Help redirect DNS queries from any device to a VPN DNS through the tun interface

hbbs · Jan 1, 2019, 3:56 AM

Hi,

I am new to pfSense. I'm trying to redirect all DNS queries from a Roku to a DNS belonging to my VPN provider through the tun interface.

So far, I haven't been successful.

I am going to attach a screenshot of the firewall rule that I could come up with.

192.168.0.107 = Roku

I would gladly welcome any help about this.

Thanks in advance.

hbbs · Jan 5, 2019, 9:58 PM

Look at this excerpt of my tcpdump.

00:48:08.698722 IP NSTV.localdomain.56718 > 10.4.0.1.domain: 65357+ A? occ-0-987-1009.1.nflxso.net. (45)

00:48:08.698732 IP NSTV.localdomain.60855 > google-public-dns-a.google.com.domain: 48439+ A? occ-0-987-1009.1.nflxso.net. (45)

00:48:09.033752 IP google-public-dns-a.google.com.domain > NSTV.localdomain.60855: 48439 2/0/0 A 198.38.99.168, A 198.38.99.178 (77)

00:48:09.033806 IP 10.4.0.1.domain > NSTV.localdomain.56718: 65357 2/0/0 A 198.38.99.168, A 198.38.99.178 (77)

That's what I want to avoid: google-public-dns-a.google.com.domain > NSTV.localdomain.60855

Derelict · Jan 6, 2019, 5:41 PM

What IP addresses is the ROKU using for DNS? It looks like DHCP is giving it a local address and a google address. 8.8.8.8 will not match destination This firewall (self).

If you want all DNS queries made from 192.168.0.107 to go to 192.168.0.1 then change the destination address to any.

But if 192.168.0.1 is the local DNS that is not what you want. You probably want to forward to a VPN provider server.

You could also simply set the VPN provider servers in a static entry for the Roku in the DHCP server. I am assuming you are already policy routing traffic from the Roku to the VPN gateway so that should just work.

(Good luck using Netflix over a VPN provider.)

hbbs · Jan 6, 2019, 5:41 PM

@derelict said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:

What IP addresses is the ROKU using for DNS? It looks like DHCP is giving it a local address and a google address. 8.8.8.8 will not match destination This firewall (self).

If you want all DNS queries made from 192.168.0.107 to go to 192.168.0.1 then change the destination address to any.

But if 192.168.0.1 is the local DNS that is not what you want. You probably want to forward to a VPN provider server.

I have tried to that. Got this error message.

The following input errors were detected:

The field Destination port from is required.
The field Destination port to is required.

I have also went looking my tcpdump. This time with my roku.

I put my VPN Gateway address as my LAN IP and it still not blocking Google's DNS lookup

20:34:21.049508 IP Roku3.localdomain.55744 > google-public-dns-a.google.com.domain: 21198+ A? captive.roku.com. (34)
20:34:21.050809 IP Roku3.localdomain.49462 > google-public-dns-b.google.com.domain: 9422+ A? captive.roku.com. (34)

All I want and I am unable to is to pre-route this request to Google's DNS and make my clients think they were resolved by Google.

Like it is done with this iptables rule:

iptables -I PREROUTING -t nat -p udp -s 192.168.1.114,192.168.1.124,192.168.1.134,192.168.1.135 -d 8.8.8.8 --dport 53 -j DNAT --to-destination DNS IP

This rule above used to work on an old OpenWrt router (now defunct) that I owned.

Derelict · Jan 6, 2019, 6:27 PM

I didn't say set the destination port to any, just the destination address.

If you don't want the Roku to use 8.8.8.8 don't tell it to use 8.8.8.8.

hbbs · Jan 6, 2019, 7:48 PM

I have tried this to block my NSTV to use 8.8.8.8 to no avail

If: LAN
Proto: TCP/UDP
Src:192.168.1.50
Src ports: *
Dest addr: ! LAN address
Dest. ports: 53 (DNS)
NAT IP: 10.27.84.1
NAT ports: 53 (DNS)
Descripion: Redirect DNS

But this is what happened when I tried to open netflix for the sake of testing because I know it would sought Google's DNS.

22:39:26.843477 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 25791 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142)
22:39:34.104360 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 22983+ A? anycast.ftl.netflix.com. (41)
22:39:34.104370 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 30840+ A? anycast.ftl.netflix.com. (41)
22:39:34.105032 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 51366+ A? afol2mxrlfchlcdunmapg.r.nflxso.net. (52)
22:39:34.105041 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 21478+ A? afol2mxrlfchlcdunmapg.r.nflxso.net. (52)
22:39:34.105511 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 48384+ A? ipv4-c048-was001-ix.1.oca.nflxvideo.net. (57)
22:39:34.105521 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 57127+ A? ipv4-c048-was001-ix.1.oca.nflxvideo.net. (57)
22:39:34.105984 IP NSTV.localdomain.40568 > 10.27.84.1.domain: 47260+ A? oca-api.netflix.com. (37)
22:39:34.105993 IP NSTV.localdomain.57184 > google-public-dns-a.google.com.domain: 65331+ A? oca-api.netflix.com. (37)
22:39:34.303376 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 30840 1/0/0 A 66.42.99.246 (57)
22:39:34.303472 IP 10.27.84.1.domain > NSTV.localdomain.40568: 22983 1/0/0 A 66.42.99.246 (57)
22:39:34.303589 IP 10.27.84.1.domain > NSTV.localdomain.40568: 57127 1/0/0 A 66.42.99.246 (73)
22:39:34.303685 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 21478 1/0/0 A 66.42.99.246 (68)
22:39:34.303778 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 48384 1/0/0 A 66.42.99.246 (73)
22:39:34.303879 IP 10.27.84.1.domain > NSTV.localdomain.40568: 51366 1/0/0 A 66.42.99.246 (68)
22:39:34.305235 IP google-public-dns-a.google.com.domain > NSTV.localdomain.57184: 65331 1/0/0 A 66.42.99.246 (53)
22:39:34.305333 IP 10.27.84.1.domain > NSTV.localdomain.40568: 47260 1/0/0 A 66.42.99.246 (53)

How can I specifically enforce that queries to Google's DNS are denied?

PS: you guys probably know that but anyway. I'm gonna register: google-public-dns-a.google.com is 8.8.8.8 and google-public-dns-b.google.com is 8.8.4.4

Derelict · Jan 6, 2019, 7:50 PM

@hbbs said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:

If: LAN
Proto: TCP/UDP
Src:192.168.1.50
Src ports: *
Dest addr: any
Dest. ports: 53 (DNS)
NAT IP: 10.27.84.1
NAT ports: 53 (DNS)
Descripion: Redirect DNS

You will still see google DNS in a packet capture on LAN because that is what is being captured before NAT happens.

As I have said at least twice now already, if you don't want the device to use 8.8.8.8, don't tell it to use 8.8.8.8 in DHCP or its static configuration.

hbbs · Jan 6, 2019, 9:16 PM

@derelict said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:

@hbbs said in Help redirect DNS queries from any device to a VPN DNS through the tun interface:

If: LAN
Proto: TCP/UDP
Src:192.168.1.50
Src ports: *
Dest addr: any
Dest. ports: 53 (DNS)
NAT IP: 10.27.84.1
NAT ports: 53 (DNS)
Descripion: Redirect DNS

You will still see google DNS in a packet capture on LAN because that is what is being captured before NAT happens.

That explains a lot.

As I have said at least twice now already, if you don't want the device to use 8.8.8.8, don't tell it to use 8.8.8.8 in DHCP or its static configuration.

I will show you my DHCP static configuration for my NSTV. it is already in place since the first time you mentioned. Maybe I did something wrong.

https://i.imgur.com/eoEWw4H.png
https://i.imgur.com/EVsIxlm.png

(I have erased MAC addresses)

Derelict · Jan 6, 2019, 9:22 PM

That looks OK to me. If that record is in place, and you have verified that it is actually getting the IP address specified, and the NSTV still insists on using 8.8.8.8 I'm not sure what to tell you there. Probably a question for them.

(I have erased MAC addresses)

(Because everyone on the internet cares about what your MAC address is...)

hbbs · Jan 6, 2019, 9:28 PM

@derelict It is in place. I believe.

All I was trying to do was to pre-route Google DNSs to my VPN DNS (tun)

Is there a place that I can certify that NAT is actually doing what it is supposed to do?

I was tcpdump -i igb1 host xxxxx and port 53 to provide those logs.

Derelict · Jan 6, 2019, 9:34 PM

Packet capture on the OpenVPN interface instead. That will show you what's going out to them.

You can also put a rule after one that passes the NAT traffic that blocks all traffic from 192.168.1.50 to destination any tcp/udp port 53.

hbbs · Jan 6, 2019, 9:45 PM

I did a tcpdump on port 53 on my vpn interface and got this:

00:42:02.827307 IP 10.27.84.1.domain > 10.27.84.249.39795: 29569 1/0/0 A 66.42.99.246 (56)
00:42:02.906872 IP 10.27.84.249.34368 > 10.27.84.1.domain: 23591+ A? nrdp51-appboot.netflix.com. (44)
00:42:02.907060 IP 10.27.84.249.34368 > 10.27.84.1.domain: 55629+ A? nrdp.nccp.netflix.com. (39)
00:42:02.907093 IP 10.27.84.249.7390 > 10.27.84.1.domain: 31611+ A? nrdp51-appboot.netflix.com. (44)
00:42:02.907120 IP 10.27.84.249.7390 > 10.27.84.1.domain: 34021+ A? nrdp.nccp.netflix.com. (39)
00:42:02.907129 IP 10.27.84.249.34368 > 10.27.84.1.domain: 17504+ A? api-global.netflix.com. (40)
00:42:02.907144 IP 10.27.84.249.7390 > 10.27.84.1.domain: 39867+ A? api-global.netflix.com. (40)
00:42:02.907195 IP 10.27.84.249.34368 > 10.27.84.1.domain: 46528+ A? secure.netflix.com. (36)
00:42:02.907242 IP 10.27.84.249.7390 > 10.27.84.1.domain: 51047+ A? secure.netflix.com. (36)
00:42:02.907280 IP 10.27.84.249.34368 > 10.27.84.1.domain: 61543+ A? uiboot.netflix.com. (36)
00:42:02.907299 IP 10.27.84.249.7390 > 10.27.84.1.domain: 20687+ A? uiboot.netflix.com. (36)
00:42:02.907346 IP 10.27.84.249.34368 > 10.27.84.1.domain: 48774+ A? customerevents.netflix.com. (44)
00:42:02.907390 IP 10.27.84.249.7390 > 10.27.84.1.domain: 51754+ A? customerevents.netflix.com. (44)
00:42:02.907435 IP 10.27.84.249.34368 > 10.27.84.1.domain: 40262+ A? ichnaea.netflix.com. (37)
00:42:02.907450 IP 10.27.84.249.7390 > 10.27.84.1.domain: 18368+ A? ichnaea.netflix.com. (37)
00:42:02.907497 IP 10.27.84.249.34368 > 10.27.84.1.domain: 17987+ A? cdn-0.nflximg.com. (35)
00:42:02.907542 IP 10.27.84.249.7390 > 10.27.84.1.domain: 21859+ A? cdn-0.nflximg.com. (35)
00:42:03.051651 IP 10.27.84.1.domain > 10.27.84.249.34368: 17504 1/0/0 A 66.42.99.246 (56)
00:42:03.051824 IP 10.27.84.1.domain > 10.27.84.249.7390: 39867 1/0/0 A 66.42.99.246 (56)
00:42:03.053581 IP 10.27.84.1.domain > 10.27.84.249.34368: 40262 1/0/0 A 66.42.99.246 (53)
00:42:03.054631 IP 10.27.84.1.domain > 10.27.84.249.7390: 18368 1/0/0 A 66.42.99.246 (53)
00:42:03.062142 IP 10.27.84.1.domain > 10.27.84.249.34368: 17987 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142)
00:42:03.062322 IP 10.27.84.1.domain > 10.27.84.249.7390: 21859 4/0/0 CNAME dscg.netflix.com.edgesuite.net., CNAME a743.dscg.akamai.net., A 23.74.2.75, A 23.74.2.72 (142)
00:42:03.105733 IP 10.27.84.1.domain > 10.27.84.249.7390: 31611 1/0/0 A 66.42.99.246 (60)
00:42:03.105869 IP 10.27.84.1.domain > 10.27.84.249.34368: 23591 1/0/0 A 66.42.99.246 (60)
00:42:03.105972 IP 10.27.84.1.domain > 10.27.84.249.7390: 34021 1/0/0 A 66.42.99.246 (55)
00:42:03.106072 IP 10.27.84.1.domain > 10.27.84.249.34368: 55629 1/0/0 A 66.42.99.246 (55)
00:42:03.107169 IP 10.27.84.1.domain > 10.27.84.249.7390: 51047 1/0/0 A 66.42.99.246 (52)
00:42:03.107273 IP 10.27.84.1.domain > 10.27.84.249.34368: 46528 1/0/0 A 66.42.99.246 (52)
00:42:03.107657 IP 10.27.84.1.domain > 10.27.84.249.7390: 20687 1/0/0 A 66.42.99.246 (52)
00:42:03.107800 IP 10.27.84.1.domain > 10.27.84.249.7390: 51754 1/0/0 A 66.42.99.246 (60)
00:42:03.107959 IP 10.27.84.1.domain > 10.27.84.249.34368: 61543 1/0/0 A 66.42.99.246 (52)
00:42:03.108099 IP 10.27.84.1.domain > 10.27.84.249.34368: 48774 1/0/0 A 66.42.99.246 (60)
00:42:10.098505 IP 10.27.84.249.34368 > 10.27.84.1.domain: 39591+ A? occ-0-2430-2433.1.nflxso.net. (46)
00:42:10.098516 IP 10.27.84.249.7390 > 10.27.84.1.domain: 45801+ A? occ-0-2430-2433.1.nflxso.net. (46)
00:42:10.298125 IP 10.27.84.1.domain > 10.27.84.249.7390: 45801 1/0/0 A 66.42.99.246 (62)
00:42:10.298286 IP 10.27.84.1.domain > 10.27.84.249.34368: 39591 1/0/0 A 66.42.99.246 (62)
00:42:12.182289 IP 10.27.84.249.34368 > 10.27.84.1.domain: 35460+ A? ipv4-c087-was001-ix.1.oca.nflxvideo.net. (57)
00:42:12.182327 IP 10.27.84.249.7390 > 10.27.84.1.domain: 61471+ A? ipv4-c087-was001-ix.1.oca.nflxvideo.net. (57)
00:42:12.381842 IP 10.27.84.1.domain > 10.27.84.249.7390: 61471 1/0/0 A 66.42.99.246 (73)
00:42:12.381980 IP 10.27.84.1.domain > 10.27.84.249.34368: 35460 1/0/0 A 66.42.99.246 (73

you see anything wrong? I couldn't

Derelict · Jan 6, 2019, 9:47 PM

Looks OK if you want DNS going to 10.27.84.1.

hbbs · Jan 6, 2019, 9:57 PM

@derelict This is my VPN Gateway.

Is there a possibility that NSTV, Roku are resolving stuff before it gets to the VPN?

Derelict · Jan 6, 2019, 9:57 PM

I have no idea what NSTV or Roku do.

hbbs · Jan 6, 2019, 10:00 PM

@derelict they pre-route traffic. Roku has the Google DNS "hardcoded" and NSTV apparently does it as well. At least Netflix does. Chromecast does it as well, btw.

But thanks for your help. I will try to get more info before I post here again.