Redirect All DNS Traffic



  • Is there a way to catch all DNS traffic and redirect it to other servers such as the OpenDNS set? I have had several problems with guests having static DNS servers set so they never make it to the captive portal because of the DNS queries timing out.

    Thanks,
    Kevin



  • Can't think of one. But you could force them to use your DNS with a block rule.

    udp * 53 !192.168.1.1



  • Well the captive portal already blocks them from using external DNS which is what's causing the issue. Without a successful lookup, there browser fails at the name resolve and never gets redirected to the captive portal.

    I read in a thread somewhere on here about using a NAT rule to redirect the outbound SMTP traffic to feed it into an ISP mail server and that method seems to work quite well. When I use the equivalent setup for DNS, it works for around 5 minutes and then pfSense stops forwarding DNS packets all together.



  • @blak111:

    Is there a way to catch all DNS traffic and redirect it to other servers such as the OpenDNS set? I have had several problems with guests having static DNS servers set so they never make it to the captive portal because of the DNS queries timing out.

    Hi Kevin,

    I'm not familiar with pfSense, but since it looks like m0n0wall fork and using PF, then the answer should be yes.  You have two issues.  One is redirecting the traffic, and the other is making sure your DNS server (or in this case, ours at OpenDNS) will recognize that it's meant for us, and that we know where to send it back.  For the first part, you should be able to use the rdr rules and for the second part you should be able to use the NAT rules.

    So just thinking outloud, something like this should work:

    1. First intercept the traffic from your internal interface:
    rdr on $int_interface inet proto udp from any to any port 53 -> $opendns_ip 
    
    

    (note: you might only be able to do this to one of our IPs, not both, but that's okay, really)

    1. Rewrite the outgoing packets to actually have a destination of 208.67.222.222
    nat on $int_interface proto udp from $int_interface:network to any port 53 -> $opendns_ip
    
    

    This is all just a total guess, but something like this should be possible. :-)  Let us know if you figure out the magic commands.


Log in to reply