Finding devices with hardcoded DNS
I've set up a NAT redirect rule to capture/redirect all outbound DNS traffic to my internal DNS server. pfSense automatically added a firewall rule as well. The question now is how do I find what devices are the offending ones? There's nothing in my firewall logs that could give me a hint. Even when I hardcode a DNS entry on one of my devices, there's still nothing in the firewall logs. Should I assume the NAT redirect rule is not working?
@ibbetsion If you just want to find them you could make a rule to block TCP/UDP to port 53 on addresses that aren't the router and see what shows up in the logs.
I just did this redirect and didn't see any entries for my redirected dns.
I confirmed it was being redirected using https://www.dnsleaktest.com
Here are my records that showed up when I moved the firewall block rule to the top of the LAN rules.
@elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!