Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Redirect question

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    6
    483
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cjbujold
      last edited by

      I want to implement a rule that redirects all internal DNS request to PFSense. This would address internal clients that try to change the default DHCP settings to some external DNS. PFBlocker will block the DoH/DoT issue.

      The rule I'm looking at is https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

      But if I understand it properly, I will also need a rule to allow the internal DNS servers (not PFsense) to forward queries externally.

      I created an Alias for the internal DNS servers, but not certain how to implement this rule properly.

      Any suggestion on how to accomplish locking clients from using external DNS servers while at the same time allowing Internal DNS servers to work properly?

      johnpozJ DerelictD 3 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @cjbujold
        last edited by

        @cjbujold rules are evaluated top down, first rule to trigger wins. If you want a client to be able to go outbound for dns, and not be redirected. Just put that rule that allows those IPs to go out on 53 above where your redirect rule is.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @cjbujold
          last edited by

          @cjbujold Why don't you just pass DNS access to the DNS server you want, Pass DNS access from the internal servers you want, and tell them those are the DNS servers to use, and reject attempts to use any other DNS servers?

          If they try to use something else it won't work.

          Some DNS clients reject answers from an IP address other than the one they queried. It is my opinion that they all should.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @cjbujold
            last edited by

            @cjbujold your trying to redirect client A to something other than pfsense when he asks for 8.8.8.8 or something? Yeah that can be problematic, it works if the dns your redirecting to is on a different vlan than the client.

            But if on the same network - clients should balk at that and say hey I asked 8.8.8.8 why is 192.168.x.y answering me..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @johnpoz
              last edited by Derelict

              @johnpoz Hmm. I never noticed it was tied to the local network. I have had problems with a DNS server outside the local network that was responding with the "wrong" IP address and some clients (notably ubuntu) refused the answers.

              Seems that if someone on the local network wanted to spoof DNS answers they'd just spoof the source address of their reply too.

              When I ran a public wifi network it was always really tempting to manipulate DNS like that, but I didn't want to step on the dad who carefully set up opendns on his kids' laptop or similar. Then there's quad9 "protection" etc. Probably over-thinking it.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @Derelict
                last edited by johnpoz

                @derelict this has come up multiple times ;)

                Here is an old thread where went into much detail about when the dns server your redirecting on on a different vlan, etc. or when its on the same network and you get back the unexpected IP, etc..

                https://forum.netgate.com/topic/139457/transparently-intercept-and-redirect-dns-traffic-to-an-internal-dns

                Personally not a fan of redirection either, either use the dns I handed you - or not getting dns ;)

                But I have done on one of my vlans just to shut up some iot shit that insists on trying to talk to 8.8.8.8, so just redirect it to my pihole - there you go buddy googledns answered you ;) If you would just use the freaking dns I handed you with dhcp you dumb crappy pos we wouldn't have to do such nonsense.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post