Redirecting all DNS Requests to pfSense?



  • I apologize if I ask a stupid question.

    In here: https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

    It says: Destination: Invert Match checked, LAN Address

    However, in the corresponding firewall rule it creates this invert match is unchecked.

    Does that make sense?pfSense_NAT_Q_forum.jpg



  • Yes. That firewall rule is allowing explicit access to DNS running on the firewall.



  • Should I read it like this: the NAT rule ensures all DNS is 'catched' and sent to 127.0.0.1:53, and this firewall rule is allowing that DNS traffic.?

    Thank you.



  • Yes. The NAT defines the redirection, and the firewall rule permits the traffic to flow.



  • @snore said in Redirecting all DNS Requests to pfSense?:

    Should I read it like this: the NAT rule ensures all DNS is 'catched' and sent to 127.0.0.1:53, and this firewall rule is allowing that DNS traffic.?

    Thank you.

    If so, suppose you have a VPN-client (say to PIA). For this particular VPN-client-traffic you want to use PIA's DNS-servers, would that mean you can not use the NAT-technique, since then all traffic goes via the firewall's DNS, including thus the VPN-client-traffic you don't want to go through there?



  • Yes, I believe so. In that case, you don't want to transparently redirect all DNS to pfSense.



  • Thank you.

    So if I understand correctly in that case it would be best to:

    1. Have the above allow rule;
    2. Have a block rule after that for all DNS requests to something else than the firewall.

    Of course, if you have devices that have hard coded DNS servers in them (that will ignore the DNS servers that are issued to them via the firewall DHCP), that then will fail. But then again, that was the purpose: disallowing any other DNS than the firewall's DNS.


Log in to reply