Redirect all tagged DNS traffic to specific IP
-
Basically I want to perform something similar to this: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
But I want to match all traffic tagged as egress vpn traffic so I force DNS request from machines routed to vpn to bypass pfsense and use other resolver completely. Is this possible?
-
I don't think this is possible. I have several rules on several interfaces/vlans that do policy routing of arbitrary traffic via vpn. I often change them or toggle them based on current use case. To prevent traffic leaks I tag such traffic and have a floating rule that blocks all tagged traffic to go through non-vpn gateway. This works perfect. You are all probably sick of people asking about DNS leaks, but yeah I basically wanted to get rid of pushing my DNS traffic to cloudflare or any other provider over DNS over TLS. I was hoping I can just tell pfsense "take any traffic with tag XYZ to port 53 and shove it to 10.20.30.40:53 on vpn gateway". This way requests generated by vpn routed machines never reach DNS Resolver. But I realized that tagging is performed on outbound interface, right? When the machine that is being routed via vpn issues request to 1.1.1.1 it's properly tagged, but when it issues request to pfsense box, say 10.0.0.1 this won't be tagged? Anyways I don't think it's possible. Any other idea for a centralized rule that could handle such cases much appreciated. I do a load of sandboxing of dubious code and need the flexibility of policy routing without the need to create or tweak several nat port forwarding rules.
-
I'm thinking aloud: perhaps instead of using rules on a need to basis I could have static rules on all my creepy vlans that use an alias? this way I would just add remove hosts/networks from a single alias to control what flies over vpn. And I could use port forwarding with that alias too so the dns traffic would get redirected? Hm
-
Yeah, the alias solution almost worked! I mean it works perfectly, but I quickly realized that I rely on resolving names of local machines and when I redirect the DNS traffic away from pfsense DNS resolver I can't resolve those names. I guess only an unbound feature of using different name servers for different clients would truly solve this?
-
-
@Decepticon this is what I did, but set an alias instead of source ip. This does not solve the issue that I need to resolve local .lan domains. The only real solution that I can come up with is to spin a secondary DNS that will forward requests for my local .lan tld to pfsense and other requests would be forwarded into vpn tunnel. I could excercise to do this with dns forwarder, but it uses same settings for upstream dns as resolver does, so I guess I hit pfsense limitation and gotta just spin another vm with plain old dnsmasq.
-
I use Pi-Hole for the purpose of doing custom dns lookups (mostly blocking). You can then tell Pi-Hole to get DNS from a destination on the VPN.
But, in that case, you don't need a custom port forwarding rule. You just tell your devices to get DNS from Pi-Hole, and Pi-Hole to get DNS from the internet.
I'm very opposed to using custom DNS for local resolution. IMHO- It's better to just use memorable IP addresses. That way, if DNS breaks, you can still reach all of your devices.
-
@Decepticon said in Redirect all tagged DNS traffic to specific IP:
I'm very opposed to using custom DNS for local resolution. IMHO- It's better to just use memorable IP addresses. That way, if DNS breaks, you can still reach all of your devices.
I like it because having 20+ vlans it's easier to manage (e. g. machine-xyx.project1.lan, nas.someotherproject.lan and so on). Agree that it's more failure prone, but it would be a lot of work to get rid of this setup :)
-
So I managed to achive what I wanted via additional DNS server using dnsmasq. The example setup looks like this:
Isolated DNS server running DNSMASQ: 192.168.10.2
LAN: 192.168.1.0/24
WG0: 10.10.0.50
VPN DNS server: 10.10.0.2I created two aliases:
- vpn_isolation - with networks for each machine that will be forced to use VPN - network aliases can include single hosts with netmask /32 and it's less problematic than to remove 255 entries from an ip alias that expanded whole /24 network :D
- isolated_dns - this alias only contains 192.168.10.2 - this will make our life way easier if we decide to move the dnsmasq to different subnet
First we create port forwarding rule:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Source: Address or Alias: vpn_isolation
Destination Port Range: DNS / DNS
Redirect Target IP: isolated_dns
Redirect Target Port: DNS
Filter Rule Association: Add associated filter rule
NAT Reflection: disable
Description: Force DNS to VPNNext we need same rule for interface on which the dnsmasq works so we can pass all the traffic to VPN from dnsmasq.
Then we need to create a policy routing rule that will match ips/networks from vpn_isolation alias on the LAN interface:
Firewall -> Rules -> LAN
Source: ip address or alias: vpn_isolation
Destination: either * or exclude private networks to allow routing to internal subnets
Gateway: WG0_GATEWAYFinally we need to spawn a linux box or container with IP 192.168.10.2 that runs dnsmasq. Below is example dnsmasq config:
no-resolv no-poll # we tell dnsmasq to use VPN server=10.10.0.2 # then we tell dnsmasq to use 192.168.1.1 to resolve *.lan and *.myinternaldomain.omgyay # (or any other domain or suffix we need) server=/lan/192.168.1.1 server=/myinternaldomain.omgyay/192.168.1.1 # this is important otherwise dnsmasq won't reply to queries from different network listen-address=192.168.10.2,127.0.0.1We can test the setup from a machine with IP included in vps_isolation alias:
- use https://dnsleaktest.com/ - it should show single DNS or at least DNS different that the one pfsense's DNS Responder/Forwarder uses
- more imporant - we need to check if we don't leak original WAN subnet via ECS - just issue
curl -SL https://test.nextdns.ioand resulting JSON should not include "ecs" key with your WAN subnet - this was the biggest problem for me when using DOT from DNS Resolver - if you own a ripe you basically dox yourself this way.
Both port forwarding and policy routing firewall rules have to be added to every interface we want to use vpn isolation and they need to be above any other policy routing rules that might redirect traffic elsewhere and go through clearnet ofc.
With this setup when you want to enable/disable vpn for any host or network behind pfsense all you need to do is edit the vpn_isolation alias and you're done.
CAVEAT: make sure the dnsmasq dns server is on it's own subnet. this makes things easier. I was able to get this working with same subnet for dnsmasq and vpn_isolation, but you have to create an additional port forwarding rule above the one that intercepts DNS traffic that matches traffic from dnsmasq and has "Disable redirection for traffic matching this rule" checked. This will allow dnsmasq to talk to pfsense :)