pfSense DNS redirect not working

Hi all. I have configured my pfSense firewall to intercept and redirect DNS as per @neogrid’s guide. My VLAN numbers are different, and I have two VLANs that need to go out in the clear instead of one. But essentially the same. I have a main and failover wan, so there’s a gateway group for that. And I setup 3 AirVPN clients in a load balance gateway group.

The DNS routing works as expected for DNS traffic that is already pointed to the firewall (ie the device us trying to use the firewall as its DNS server) as evienced by dns leak test. The VLAN with AirVPN as a wan resolves through AirVPN. And the VLANS in the clear resolve through Quad9 as set in settings > general.

But, if a device has a manually set DNS, like someone punched in on their NIC or their phone’s wifi config, that is not getting intercepted by the NAT port forwarding rules and processed on the firewall. It is flying right through to google according to dns leak test. I have been through the configuration 100 times and nothing is set wrong. I’ve seen a few other posts from people having similar problems and I’m not seeing a solution. TBH I don’t see how it’s even possible with the rules. How is anything getting past on port 53 with those port forwards in place??

Since I’m a new user, I can’t post my screenshots all here so sorry for the replies with one at a time.

Lets try the screenshots now.

DNS forwarder

DNS Resolver

NAT Rules

VLAN2 Rules (uses AirVPN)

VLAN3 Rules (No VPN)

Your setup look kinda similar to mine … can’t see anything that stands out.

Are you on version 2.5 ? I can say it works on 2.4 however I might do a rebuild next weekend for version 2.5 and find the DNS doesn’t work as expected.

Some devices don’t use port 53 for DNS and I think modern Android devices use DoH

I think that’s what is going on here. It seems even browser settings can gum up the works.

  • With the device DNS NIC or WiFi config set to use the firewall, everything gets handled locally in pfSense as desired regardless of windows/android and regardless of browser.

  • With the device DNS NIC or WiFi config set to use some other DNS, now “it depends”. If I’m using chrome, DNS blasts right past the firewall to or whatever the NIC is set to use. But if I use Internet Explorer (cringe), it is handled locally on the firewall through the rules.

I’m sure there are default browser settings in Chrome and IE facilitating this. I haven’t tried to figure out what they are yet. But it looks like if you want to intercept DoH, you’d have to do it by the specific DNS server IP. Haven’t tried it yet and not sure if it will work.

Yeah it sounds like if you have DoH and DoT supported in the browser you won’t be able to prevent another DNS being used by the client.