Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server

    Scheduled Pinned Locked Moved NAT
    10 Posts 4 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MikhailCompo
      last edited by

      I have blocked all DNS requests that do not use my own DNS server (Pi-Hole).

      I've now learned that Chromecast and other devices are crap and will not be told their DNS server.....

      Can someone advise how I can direct these queries to my own DNS server? I have found other posts on this topic but they're old and the links/images are no longer working.

      Thanks

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @MikhailCompo
        last edited by

        @MikhailCompo

        https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html#redirecting-client-dns-requests

        While its simple enough to redirect normal just over 53 dns.. You run into a problem trying to redirect doh for example.. For starters its on 443, and even if you listed specific doh servers IP to redirect... You still have the issue that your cert wouldn't match where they are trying to go.. say googldns via doh.. So the client should say hey wait this isn't the server I wanted to talk too.. Now the client might be stupid and not doing that check, but that is suppose to be one of the advantages of say doh and dot, is your sure who your talking to for dns..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 2 Replies Last reply Reply Quote 0
        • M
          MikhailCompo @johnpoz
          last edited by

          @johnpoz Will redirect 53 not be sufficient for Chromecast etc? Do they require DOH?

          johnpozJ keyserK 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @MikhailCompo
            last edited by johnpoz

            @MikhailCompo I have not used a chromecast in years.. But would be fair to assume they might be trying to do doh.. But if they are just using normal dns its simple enough to redirect them.. If you blocked other dns and they are not complaining - I would take it they are either using who you assigned to them via static or dhcp.. Or they are using doh.. Which is hard enough to block, let alone trying to redirect..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              MikhailCompo @johnpoz
              last edited by

              @johnpoz said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:

              @MikhailCompo

              https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html#redirecting-client-dns-requests

              Following this guide breaks DNS, after adding the rule all DNS queries are blocked. Did I create the rule incorrectly?

              f9318c77-c1e9-462f-8756-4a9dfa0f48b0-image.png

              johnpozJ 1 Reply Last reply Reply Quote 0
              • keyserK
                keyser Rebel Alliance @MikhailCompo
                last edited by

                @MikhailCompo Following the redirect guide fra Johnpoz only works if your DNS is running locally on pfSense. You have a Pi-hole running, and if you attempt to NAT forward to that IP instead, it will only work if the Pi-Hole is on a different interface than the requesting client.
                If they are on the same interface you have to fx. setup DNS forwarder in pfSense and have it forward to your Pi-hole. Then Johnpoz's posted guide will work once again.

                Love the no fuss of using the official appliances :-)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @MikhailCompo
                  last edited by

                  @MikhailCompo said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:

                  Following this guide break

                  Well for starters your not following the guide, the guide clearly shows redirecting to 127.0.0.1.. There are many a thread here going over trying to redirect traffic to some other IP on the same network as the client.. This will create asymmetrical flow, and the client will normally balk at getting an answer from an IP that is clearly not who he sent the traffic too.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    MikhailCompo @johnpoz
                    last edited by

                    @johnpoz said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:

                    @MikhailCompo said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:

                    Following this guide break

                    Well for starters your not following the guide, the guide clearly shows redirecting to 127.0.0.1.. There are many a thread here going over trying to redirect traffic to some other IP on the same network as the client.. This will create asymmetrical flow, and the client will normally balk at getting an answer from an IP that is clearly not who he sent the traffic too.

                    If I had configured 127.0.0.1 as the guide says, would it have worked for me or would my DNS be broken?

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @MikhailCompo
                      last edited by

                      @MikhailCompo 127.0.0.1 will work if unbound is working.. Here is one of the many threads where this has been discussed

                      https://forum.netgate.com/post/1021681

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 1
                      • provelsP
                        provels
                        last edited by

                        Might want to look at incorporating DoH blocklists into your Pi.

                        https://www.reddit.com/r/pihole/comments/lhkwta/doh_url_blocklist/?rdt=59763

                        Peder

                        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.