Forcing DNS through internal server



  • I'm trying to force all internal hosts to use my internal DNS server (a PI-hole). I've got my DHCP setup so all those that honour the DNS server provided by it work fine, but I've got a few devices, Google Home being the most recent, which hardcode their own DNS servers and so are bypassing mine.

    I've found this doc on how to use NAT to force all traffic through pfSense as the DNS server, but I can't work out how to set it up so that it all goes through my internal server:

    https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

    I've obviously set the redirect to IP to be internal, but that just creates a circular loop when it tries to make the outbound request. I can't see a way to exclude that one host from the rule. I briefly thought about setting an earlier rule that targeted that single host, but that would limit me to a single external DNS server.

    Can this be done? It feels like it should be able to be made work, I just can't figure it out.



  • @digininja99 Read the last paragraph of the article you linked to.



  • @swinn I read that and tried it but it didn't work. The way I read the rule is:

    If the destination IP isn't on the local LAN, then apply the rule

    So putting just my internal DNS server into the list would say:

    If the destination it isn't my internal server, then apply the rule

    Which would force things to use my internal server, but then when it tries to get out, the destination isn't itself, and so the rule is triggered, causing a loop. If I'm right on that, the rule only works to force external DNS servers, not internal ones.

    I could be wrong on this and may have just made a mistake when setting it up.



  • @digininja99 Put your DNS server in the source address as well and negate it.



  • @swinn I'd missed that as it was behind the advanced button. I knew it had to be something simple.

    Not got time to try it now, will give it a go later and report back.

    Thanks



  • This will work.
    However, since you have pfsense. pgblockerng devel has the same functionality with additional bells and whistles. pihole is fine when you only have an isp provided router.



  • @netblues that looks like an interesting alternative. I'm running the pi-hole on a server with other stuff so it won't remove a machine from the network, but it might make the config easier.


Log in to reply