Заметки сисадмина » pfSense: Redirecting Client DNS Requests

Заметки сисадмина о интересных вещах из мира IT, инструкции и рецензии. Настраиваем Компьютеры/Сервера/1С/SIP-телефонию в Москве

pfSense: Redirecting Client DNS Requests

To restrict client DNS to only the DNS Resolver or Forwarder on pfSense® software, use a port forward to capture all client DNS requests.

Either The DNS Resolver or DNS Forwarder must be active and it must bind to and answer queries on Localhost, or All interfaces.

The following example uses the LAN interface but the same technique will work with any local interface.

  • Navigate to Firewall > NAT, Port Forward tab
  • Click fa-level-up Add to create a new rule
  • Fill in the following fields on the port forward rule:
    Interface
    LAN
    Protocol
    TCP/UDP
    Destination
    Invert Match checked, LAN Address
    Destination Port Range
    DNS (53)
    Redirect Target IP
    127.0.0.1
    Redirect Target Port
    DNS (53)
    Description
    Redirect DNS
    NAT Reflection
    Disable

When complete, the port forward must appear as follows:

../_images/redirect_dns_port_forward.png

If DNS requests to other DNS servers are blocked, such as by following Blocking External Client DNS Queries, ensure the rule to pass DNS to 127.0.0.1 is above any rule that blocks DNS.

With this port forward in place, DNS requests from local clients to any external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible.

This can be adapted to allow access to only a specific set of DNS servers by changing the Destination network from “LAN Address” to an alias containing the allowed DNS servers. The Invert match box should remain checked.

Clients using DNS over TLS or DNS over HTTPS could circumvent this protection. Redirecting or blocking port 853 may help with DNS over TLS, depending on the clients.

Leave a Reply