I’d want to make sure that my LAN clients only use my pfsense firewall as a DNS resolver or any DNS server IP set on it. Anyway this setting here seems not to be working:
Clients can browse internet using their DNS settings. I then set these two rules in my pfsense firewall:
But if a client set any dns server Ip in network proprieties, my pfsense keeps it from browsing internet. I think that it is a bit overkilled, I’d just want to redirect it to pfsense’s dns whichever Ip it can ever set.
Could you help work this out please?
I’ve never tried this before, but thought I would give it a go following the Netgate guide and apply it to my guest VLAN. Like you I found it blocked all dns traffic and did not redirect, result no internet access, even for machines outside of the guest VLAN, which was a bit odd. I followed the guide and set 127.0.0.1 as the ip to redirect to, if I changed it to the specific ip of pfSense for that VLAN it all started working. So it looks like something goes wrong if you use 127.0.0.1.
You don’t need the block rule. Just set the port 53 pass rule to a destination of 127.0.0.1…this firewall probably works too but I use 127.0.0.1. I use the redirect port 53 pass rule on all my networks including OpenVPN network. Works fine.
Arre you talking about the NAT rule I linked above?
It doesn’t work.
This is what I use…Use a firewall rule like this in each of your LANs:
Then under firewall, NAT, port forward put in a rule like this for each of your LANs:
That works for me…all port 53 requests are mapped to the firewall to however you have setup your DNS. I use the DNS resolver to forward DNS and have enabled DOT. No issues at all
I set the suggested rules.
Althought I see records in firewall log:
Apr 10 07:24:43 LAN NAT redirect DNS (1586502034) 192.168.5.14:49166 127.0.0.1:53 UDP
if I run a nslookup in my windows machine client, I get this:
Google DNS I set in my network card for a test it still seems to be used. How comes?
Last thing. What is “DOT” for?
Thank you very much
This is an interesting question. My input will probably add more woes rather than resolve your query but it might be useful.
I’ve setup my network to use 3 sets of DNS servers; my guest network uses Quad9 set in the DHCP server, my VPN network uses Air DNS servers in DNS Resolver so DNS queries stay in the VPN tunnel of my VPN provider and I use Cloudflare in DNS Forwarder for my other networks.
When I originally set up PfSense I am certain all DNS queries resolved as expected. Mainly I’m concerned that I don’t have any leaks on my VPN network for my Linux ISO downloads ;-). When I do a DNSleaktest it passes.
However, I later setup pfblocker and this made some changes which I have to admit I don’t fully understand, but I know queries go through this to block those IP addresses passing the ads. I need to investigate this further but it seems to work ok.
The way I approached the firewall rules was to block everything first, then add rules to achieve my objective. Going the other way I found was difficult to determine whether my network was secure or not.
The thing with PfSense that I have found is that in order to get 1 thing to work 3 other things have to be configured correctly. Trial and error is your friend !
" …my VPN network uses Air DNS servers in DNS Resolver"
I am kind of pfsense newbie user. I don’t think I got it.
Can you set DNS servers in DNS resolver? How?
DOT is DNS over TLS. Let’s see all your rules including the NAT rules. I assume you have DNS IP address in System, General setup? Also, need screenshots of what you have in DNS resolver.
DNS resolver uses the DNS settings under System, General Setup
@jeff3820 I don’t have any DNS servers set in DNS Server Settings under General Setup. Pfsense DNS resolver asks root DNS directly…I guess. In the NAT settings, there is only the DNS rule above in “Port Forward”. Nothing else really.
Outbound is set on “Automatic”
As for DNS resolver I just disabled “Enable Forwarding Mode”.
Under System > Routing > Gateway set the DNS address (for AirVPN) in the Monitor IP field for the VPN Gateway on your VPN interface.
In DNS Resolver you select your VPN vlan in the Network Interfaces choices and select your earlier VPN gateway in the Outgoing Network Interfaces.
This is how I have set it up, there are probably 10 ways of doing everything but I must admit I was tweaking things until they worked but then kept on finding out new things
The key point for the VPN is to ensure you don’t have DNS leaking your IP address !
You can always test your DNS for your VPN is correctly figured at this site
My verbose point is, I doubt it matters what DNS you use on your vLANs but on your VPN vLAN it is critical, if I am correct then I doubt you have any major issues with this approach. You’ll just have to work out what suits you.
Put your desired DNS in under general settings or the dns resolver won’t know where the dns lookups should go…hence it can’t override anything
@neogrid One of my goals to force clients to go through pfsense dns resolver is to be able to better track their browsing and “stop” them just in case.
Can it be done differently? I mean, all the browsing would go through my firewall anyway if I set DNS Forwarded and be logged? I’ve never figure that out completely.
I need to understand it.
You say to put DNS in general setting otherwise dns resolver can’t know where dns lookups should go, but I still can browse internet this way.
Again, DO I need to set dns server there to make my DNS NAT rule work?
Yes. Note this from the original article you were referencing:
Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost , or All interfaces.
You need those DNS settings or the resolver or forwarder can do anything.
One more thing, have you enabled the dns resolver at the top of the resolver settings?
@jeff3820 is basically correct, from a clean install you have to enter your DNS servers, these will appear under general settings anyway if I recall correctly. Set up your routing however you like for your vLans. However, when you use AirVPN you MUST use their DNS servers, therefore I believe the problem you have to solve is how to use a 2nd DNS for your VPN vLAN only.
There may well be several ways of achieving this,once I got mine to work I stopped and went to the next problem
If you want to “stop” clients just in case, perhaps it’s a combination of setting the correct rules and using pfblocker. My approach with the firewall rules was to stop everything then go from there.
@jeff3820 oh, I didn’t notice that in the article. I thought that DNS resolver would answer queries on localhost even working without setting dns servers because it would ask root dns servers, wouldn’t it?
I’ll try it.Yes, I enabled dns resolver at the top of its setting page.
Ok thanks…I am going to test it and let you know.