pfSense - DNS redirect to local DNS server
-
My goal is to redirect all outbound DNS requests to my internal DNS servers (PiHole) while allowing my DNS servers to query outside.
I found 2 links that helped, but 1 was incomplete and the other was long, old and had too many posts off point. I only intend on posting what I have working to help the next person.Links included to give credit to where credit is due, without these two I would not have figured it out.
https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html
https://forum.netgate.com/topic/139457/transparently-intercept-and-redirect-dns-traffic-to-an-internal-dnsThe Setup:
2 VLANs: 42 and 128
All DNS is on 42
The test host moves between 42 and 128 and uses a bogus DNS server
Alias PiHole contains all DNS servers
(I would recommend using an alias even with 1 DNS server, adding and removing DNS servers requires 1 update, not 6)The rules:
NAT / Port Forward - These send the requests to your DNS
-- Rule for VLAN42 --
Interface: VLAN42
Protocol: TCP/UDP
Source: Invert match Alias PiHole
Destination: Invert match VLAN42.address
Destination port: DNS
Redirect target IP: PiHole
Redirect target port: 53
NAT reflection: Disable-- Rule for VLAN128 --
Interface: VLAN128
Protocol: TCP/UDP
Source: Invert match Alias PiHole
Destination: Invert match VLAN128.address
Destination port: DNS
Redirect target IP: PiHole
Redirect target port: 53
NAT reflection: DisableNAT / Outbound - These masquerade the IP address to make the client happy.
-- Rule for VLAN42 --
Interface: VLAN42
Protocol: any
Source: Network 192.168.42.0/24
Destination: Network Pihole port 53
Address: Interface Address-- Rule for VLAN128 --
Interface: VLAN42 (yes 42)
Protocol: any
Source: Network 192.168.128.0/24
Destination: Network Pihole port 53
Address: Interface AddressThe pictures:
You can see that dig @ a server that is not a DNS server returns correct results.
I hope this is useful.
-
@AndyRH Your NATing to redirect all dns queries to Piehole isn't working because you get no error from dig saying "reply from unexpected source: <insert_your_piehole_server_ip_here>, expected 1.2.3.4#53" which you would get if PfSense would truly NAT properly. Something else is replying to dig, but its not piehole.
I redirect all DNS queries from my LAN3 and WIFI segments to Piehole like this:
As you can see, all WIFI DNS requests from any source (segment 10.40.x.x/24) are NATed to my Piehole server on segment (10.22.x.x/24). Then you can see on the Piehole segment itself I redirect all DNS requests (segment 10.22.x.x/24) to the Piehole server EXCEPT for the Piehole server itself.
Then here are the rules for the WIFI segment that goes with the NATing of WIFI DNS's request:
And the rule for LAN3 segment (where the source isn't piehole itself):
And this is the output from Dig with a proper DNS redirection :
You can see the DNS request comes back from the Piehole server but Dig is waiting a reply from 1.2.3.4.
And in piehole, you can see the request being redirected, resolved and returned to dig:
-
You are correct if the goal is to prevent resolution if a wrong DNS server is used. In that case a simple block of the port will work just fine.
It is working as I intended. The goal is to get a proper response to the client. Without the "masquerade" of the wrong DNS server the client is not able to resolve the requested address.
I do not want to stop the clients from resolving addresses, I do want to stop clients from resolving addresses on servers that are not mine.
Roku's are notorious for using 8.8.8.8 if they fail to connect to the usage reporting servers. I have also found Amcrest cameras try hard coded DNS servers when they fail to connect home. -
@AndyRH Oh I understand what you wanted to do. You are anonymizing your piehole so your client's think their reply comes from the legitimate DNS they wanted to use. That's clever!