I’ve got an assortment of Google devices on my IoT vlan, Avahi setup to limit/allow primary vlan to communicate with those devices, and a firewall rule set to block DNS queries for the IoT interface to anything other than the pfsense firewall. All of this is working as expected and all of my devices have no issues with internet access.
The problem is that ever since Unifi Controller introduced Wi-Fi Experience, my Google Home, Hub and Chromecast devices have all had 0% scores due to “DNS timeouts”, despite having no issues resolving anything. If I turn off the Block DNS fw rule, then all of them immediately get a 100% score. I’m sure that these devices are attempting to use Google DNS servers, but they’re also set to use my pfsense DNS server via the DHCP scope settings for the IoT interface. I know I can just ignore the 0% scores, but I still find it mildly triggering and would appreciate knowing if anyone knows a way I can fix this.
Is it possible you can capture all outgoing port 53 traffic and redirect to an internal DNS server – this way you’re not blocking DNS per se just re-routing it somewhere else. I use pfsense’s DNS resolver and capture all port 53 traffic and redirect to encrypted DNS query using cloudflare.
I’m not sure however this would solve your problem.
Hmmm… I’ve got this setup already with DNS resolver, listening on ports 53/853, applied to all outgoing interfaces. Perhaps I’m missing some other resolver settings… I’ll have to go through this again and test various settings.
Have your forwarded all port 53 requests?
So I have a 2 floating rules block everything to port 853/53 not originating from this firewall
Then a NAT rule for every VLAN that will pass redirect UDP port 53 requests to 127.0.0.1
Again – I’d be curious if this strategy would work to solve your problem.
I appreciate the suggestions, kevdog! Haven’t yet had the time to try anything yet, but hope to do so this weekend.