I use a NAT rule to forward all rogue DNS queries to the pihole
pfsense gives out the pihole as the default DNS when assigning IPs via DHCP
Everything is working ok (rogue queries are routed to pihole and name resolution is working overall), but when I try the following command: dig @8.8.8.8 google.com I get the following error:
❯ dig @8.8.8.8 google.com
;; reply from unexpected source: 192.168.8.2#53, expected 8.8.8.8#53
;; reply from unexpected source: 192.168.8.2#53, expected 8.8.8.8#53
;; reply from unexpected source: 192.168.8.2#53, expected 8.8.8.8#53
; <<>> DiG 9.10.6 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
I can see this query logged in the pihole and it has the proper originating host.
Troubleshooting till now has led me to believe that I need an outbound NAT rule but what that rule needs to contain eludes me. I’ve tried all combos I can think of but the error persists.
Thanks for the continued dialogue, I understand your point. However, prior to making the 192.168.8.x subnet, when everything was on the 192.168.7.x subnet, I had the same NAT redirect rule in place (but pointing to a host in the 7.x subnet) and dig was happy.
Can’t this be resolved via an outbound NAT rule? Also, because DNS is working ok, should I just ignore this error (and keep the NAT direct in place)?
I’m digging (no pun intended!) into this cause if the NAT redirect is causing underlying issues, then I’d like to find a resolution.
For additional context, the reason why I went down the route of setting up a secondary subnet is because with the previous setup (one subnet) all “rouge” redirected entries on the pihole logs appeared as if they were coming from the pfsense box vs the original host.
If there’s a way to actually retain the original hostname for the queries that are redirected, then I don’t need the second subnet at all.