Redirecting DNS requests respone issue

z3r0_XG · Sep 23, 2020, 8:40 PM

Hello, I've set up a rule to forward all LAN DNS requests heading externally, not coming from my internal DNS server and the pfsense itself, to redirect to my DNS server.

This seems to be working correctly, however, I am running into issues like this:

dig www.google.com @8.8.8.8
;; reply from unexpected source: 192.168.11.2#53, expected 8.8.8.8#53
;; reply from unexpected source: 192.168.11.2#53, expected 8.8.8.8#53
;; reply from unexpected source: 192.168.11.2#53, expected 8.8.8.8#53

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.google.com @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached

So I can see for this machine, the request was redirected to 192.168.11.2, which is the DNS server, but there does not seem to be any masquerading here, the client is aware of the redirect.

Is there a way to set up a LAN to LAN redirect without exposing this to the client? This might just be a problem for "dig" and other applications like it, but I am worried about some of my IoT devices having issues because they can see their DNS is being redirected.

viragomann · Sep 23, 2020, 10:30 PM

You have to masquerade the requests to the DNS server with the interface address of pfSense, so that return packets are addressed back to pfSense.

z3r0_XG · Sep 24, 2020, 4:43 AM

Cool, how does one go about doing that? My Google-fu is a bit weak today.

viragomann · Sep 24, 2020, 8:05 AM

@z3r0_XG
That can be done by outbound NAT on pfSense.

If your outbound NAT is still in automatic mode switch into hybrid mode. Then add a new rule with settings like these:
Interface: <that one facing to the DNS server>
source: LAN net
destination: <DNS servers IP>
translation: interface address

z3r0_XG · Sep 24, 2020, 1:12 PM

@viragomann WORKED! TYVM -

dig www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62363
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com. IN A

;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1600953019 1800 900 604800 86400

;; Query time: 171 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 24 13:10:34 UTC 2020
;; MSG SIZE rcvd: 141

Internal DNS log:

Sep 24 09:10:34 dnsmasq[25829]: query[A] www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com from 192.168.11.1
Sep 24 09:10:34 dnsmasq[25829]: forwarded www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com to 2604:6000:1529:8082:9c5d:c6ff:fe2a:ae3b
Sep 24 09:10:34 dnsmasq[25829]: validation result is SECURE
Sep 24 09:10:34 dnsmasq[25829]: reply www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com is NXDOMAIN