pfSense - DNS redirect to local DNS server



  • My goal is to redirect all outbound DNS requests to my internal DNS servers (PiHole) while allowing my DNS servers to query outside.
    I found 2 links that helped, but 1 was incomplete and the other was long, old and had too many posts off point. I only intend on posting what I have working to help the next person.

    Links included to give credit to where credit is due, without these two I would not have figured it out.
    https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html
    https://forum.netgate.com/topic/139457/transparently-intercept-and-redirect-dns-traffic-to-an-internal-dns

    The Setup:
    2 VLANs: 42 and 128
    All DNS is on 42
    The test host moves between 42 and 128 and uses a bogus DNS server
    Alias PiHole contains all DNS servers
    (I would recommend using an alias even with 1 DNS server, adding and removing DNS servers requires 1 update, not 6)

    The rules:
    NAT / Port Forward - These send the requests to your DNS
    -- Rule for VLAN42 --
    Interface: VLAN42
    Protocol: TCP/UDP
    Source: Invert match Alias PiHole
    Destination: Invert match VLAN42.address
    Destination port: DNS
    Redirect target IP: PiHole
    Redirect target port: 53
    NAT reflection: Disable

    -- Rule for VLAN128 --
    Interface: VLAN128
    Protocol: TCP/UDP
    Source: Invert match Alias PiHole
    Destination: Invert match VLAN128.address
    Destination port: DNS
    Redirect target IP: PiHole
    Redirect target port: 53
    NAT reflection: Disable

    NAT / Outbound - These masquerade the IP address to make the client happy.
    -- Rule for VLAN42 --
    Interface: VLAN42
    Protocol: any
    Source: Network 192.168.42.0/24
    Destination: Network Pihole port 53
    Address: Interface Address

    -- Rule for VLAN128 --
    Interface: VLAN42 (yes 42)
    Protocol: any
    Source: Network 192.168.128.0/24
    Destination: Network Pihole port 53
    Address: Interface Address

    The pictures:
    97f2bcec-57d5-4da6-9bfe-7ab2c3516441-image.png
    4116bd5a-20ad-41b4-b810-9047fcda5184-image.png
    df60af8f-9078-4741-8b5d-f06f195d5d77-image.png

    You can see that dig @ a server that is not a DNS server returns correct results.

    I hope this is useful.



  • @AndyRH Your NATing to redirect all dns queries to Piehole isn't working because you get no error from dig saying "reply from unexpected source: <insert_your_piehole_server_ip_here>, expected 1.2.3.4#53" which you would get if PfSense would truly NAT properly. Something else is replying to dig, but its not piehole.

    I redirect all DNS queries from my LAN3 and WIFI segments to Piehole like this:
    898a23ef-fff4-4c41-a005-fb36f51f1625-image.png

    As you can see, all WIFI DNS requests from any source (segment 10.40.x.x/24) are NATed to my Piehole server on segment (10.22.x.x/24). Then you can see on the Piehole segment itself I redirect all DNS requests (segment 10.22.x.x/24) to the Piehole server EXCEPT for the Piehole server itself.

    Then here are the rules for the WIFI segment that goes with the NATing of WIFI DNS's request:

    a90ac14f-a971-462e-8e8a-d4686dc094dc-image.png

    And the rule for LAN3 segment (where the source isn't piehole itself):
    e7726d38-a81b-410f-b47e-634bb0fbc3dc-image.png

    And this is the output from Dig with a proper DNS redirection :

    ba6fa3ed-330e-4cba-855e-d0d400ce5700-image.png

    You can see the DNS request comes back from the Piehole server but Dig is waiting a reply from 1.2.3.4.

    And in piehole, you can see the request being redirected, resolved and returned to dig:
    a0ad5443-c8d4-4e1a-82f3-74eec0dd7374-image.png



  • You are correct if the goal is to prevent resolution if a wrong DNS server is used. In that case a simple block of the port will work just fine.
    It is working as I intended. The goal is to get a proper response to the client. Without the "masquerade" of the wrong DNS server the client is not able to resolve the requested address.
    I do not want to stop the clients from resolving addresses, I do want to stop clients from resolving addresses on servers that are not mine.
    Roku's are notorious for using 8.8.8.8 if they fail to connect to the usage reporting servers. I have also found Amcrest cameras try hard coded DNS servers when they fail to connect home.



  • @AndyRH Oh I understand what you wanted to do. You are anonymizing your piehole so your client's think their reply comes from the legitimate DNS they wanted to use. That's clever!