Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forcing DNS through internal server

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 518 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • digininja99D
      digininja99
      last edited by

      I'm trying to force all internal hosts to use my internal DNS server (a PI-hole). I've got my DHCP setup so all those that honour the DNS server provided by it work fine, but I've got a few devices, Google Home being the most recent, which hardcode their own DNS servers and so are bypassing mine.

      I've found this doc on how to use NAT to force all traffic through pfSense as the DNS server, but I can't work out how to set it up so that it all goes through my internal server:

      https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

      I've obviously set the redirect to IP to be internal, but that just creates a circular loop when it tries to make the outbound request. I can't see a way to exclude that one host from the rule. I briefly thought about setting an earlier rule that targeted that single host, but that would limit me to a single external DNS server.

      Can this be done? It feels like it should be able to be made work, I just can't figure it out.

      swinnS 1 Reply Last reply Reply Quote 0
      • swinnS
        swinn @digininja99
        last edited by

        @digininja99 Read the last paragraph of the article you linked to.

        digininja99D 1 Reply Last reply Reply Quote 0
        • digininja99D
          digininja99 @swinn
          last edited by

          @swinn I read that and tried it but it didn't work. The way I read the rule is:

          If the destination IP isn't on the local LAN, then apply the rule

          So putting just my internal DNS server into the list would say:

          If the destination it isn't my internal server, then apply the rule

          Which would force things to use my internal server, but then when it tries to get out, the destination isn't itself, and so the rule is triggered, causing a loop. If I'm right on that, the rule only works to force external DNS servers, not internal ones.

          I could be wrong on this and may have just made a mistake when setting it up.

          swinnS N 2 Replies Last reply Reply Quote 0
          • swinnS
            swinn @digininja99
            last edited by

            @digininja99 Put your DNS server in the source address as well and negate it.

            digininja99D 1 Reply Last reply Reply Quote 0
            • digininja99D
              digininja99 @swinn
              last edited by

              @swinn I'd missed that as it was behind the advanced button. I knew it had to be something simple.

              Not got time to try it now, will give it a go later and report back.

              Thanks

              1 Reply Last reply Reply Quote 0
              • N
                netblues @digininja99
                last edited by

                This will work.
                However, since you have pfsense. pgblockerng devel has the same functionality with additional bells and whistles. pihole is fine when you only have an isp provided router.

                digininja99D 1 Reply Last reply Reply Quote 0
                • digininja99D
                  digininja99 @netblues
                  last edited by

                  @netblues that looks like an interesting alternative. I'm running the pi-hole on a server with other stuff so it won't remove a machine from the network, but it might make the config easier.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.