Redirect DNS traffic with NAT rules

With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

I have configured a NAT rules like this, but still devices like Alexa still call directly to 8.8.8.8 bypassing the NAT rule and my DNS server.

Why the v17.5 it wasn't possible but I'm wondering if it's possible now the new NAT options.

This is what I have configured as a NAT rule but doesn't work

 

Possible solution

I believe the issue is your pihole is also getting caught in this rule: it tries to perform a DNS request, gets its own traffic destination DNAT'ed to itself, and fails to lookup (or performs a loop). Unfortunately there is not a "exception" original source for the DNAT rule. I just resolved this issue by having my pihole have a dedicated interface (a VLAN subinterface), and have the inbound interface be everything except the interface of the pihole.

I don't have "post reply" permissions for some reason, so I could not post a comment/reply to the issue thread.



h
[edited by: l0rdraiden at 11:59 AM (GMT -8) on 28 Nov 2020]
Parents
  • I have this configured and working on my XGv18.  Here are my settings:

    In my case, I'm redirecting all DNS IPv4 to the Sophos box since it is acting as my DNS server.  Usage is over 3700 for the past few days.

  • Is this NAT rule actually needed??  Surely its the same as v17.5 in v18 isnt it, as long as you enable the DNS service on the LAN Zone under Administration - device access your XG will act as the DNS resolver again right??  This NAT redirect is valid if another IP other than XG itself is your DNS forwarder though but i dont have to set anything to use my own XG v18 as my LAN Zones or whatever Zones DNS forwarder?  

    Correct me if im wrong though but personally i only need the DNS on my Device access enabled on my LAN Zone rather than having to use NAT rules again?

    JK

  • john_kenny said:

    Is this NAT rule actually needed??  Surely its the same as v17.5 in v18 isnt it, as long as you enable the DNS service on the LAN Zone under Administration - device access your XG will act as the DNS resolver again right??  This NAT redirect is valid if another IP other than XG itself is your DNS forwarder though but i dont have to set anything to use my own XG v18 as my LAN Zones or whatever Zones DNS forwarder?  

    Correct me if im wrong though but personally i only need the DNS on my Device access enabled on my LAN Zone rather than having to use NAT rules again?

    I don't think that's how the Local Service ACL works (under Administration -> Device Access). My understand is by checking 'DNS' for the 'LAN' zone, it's simply saying devices on the LAN zone can access the DNS port (53) on the Sophos XG device itself, not that your clients will use Sophos XG as their DNS.

    To specify the DNS server clients will use, it can be configured via the DHCP server where you specify the DNS server that will be assigned, but some clients will still use their own DNS so the NAT rule forces them to use whatever you specify.

    Edit: Sort of unrelated but that actually reminds me, I don't need to set the upstream DNS server in my PiHole to Sophos XG anymore since it appears pharming protection in v18 doesn't exist (I think it was something to do with DPI engine). Previously, I was assigning my PiHole as the DNS via the DHCP server. Within my PiHole settings, I had set the upstream DNS server to Sophos XG to take advantage of pharming protection which required me to have 'DNS' checked in the Local Services ACL for the 'LAN' zone since my PiHole would need to be able to access the Sophos XG DNS server. However, now that I've just set the upstream DNS server to something else (e.g. CloudFlare), I can uncheck 'DNS' in Local Services ACL and everything still works fine.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • I forgot the DHCP part but yeah DHCP will give out your XG's IP if you set DHCP's DNS as XG's IP and the DNS in device access is what allows that zone to use XG as a forwarder...  Thats how mines been setup since V15.

    Also if needed add a block rule for port 53 from LAN to WAN so no other devices can use any other DNS forwarder other than your XG itself or Block IPs of any IPs other than your specified IP of said device acting as your DNS forwarder then you wont get devices trying to use 8.8.8.8.  That is something ive found to help to prevent device DNS attempts block rules! Blocks or just dont add any rules that allow LAN to WAN dst port 53!!

    But yeah you are right it depends if you are going to use XG as your only DNS forwarder or if you want to have another device act as one instead, then NAT redirects are needed aswell as setting the Devices IP in DHCP as you mentioned.

    Im still waiting for the EAP of v18 with DoT or DoH feature built into the DNS forwarder feature, that is one feature im eagarly awaiting.  Yeah the DNS forwarder feature has been perfect for use as an edge DNS forwarder like mentioned earlier using DHCP & DNS & Device access settings along with a DNS block rule to prevent no other device than xg itself to do your DNS lookups / forwarding.  But as soon as Sophos add DOT or DOH to that too it will be icing on the cake! I just want my XG to do all this sort of stuff on my LAN so i dont need to use another device to do fuctions XG still cant yet!  Pihole ive not tried but i have looked at Adguard Home which does DOT & DOH now aswell as the usual filtering but XG can do that itself by loading filters into XGs web catagories and then add those into your web policies and you get filtering via the lists used in Adguard or Pihole etc....

    See this users brilliant Github page with converted filters that are made to go into XGs web catagories

    https://github.com/austinheap/sophos-xg-block-lists

    FYI the http links for some reason are broken but copy the https links and just paste the url into an XG web catogory but http not https and it works fine!!

    JK

Reply
  • I forgot the DHCP part but yeah DHCP will give out your XG's IP if you set DHCP's DNS as XG's IP and the DNS in device access is what allows that zone to use XG as a forwarder...  Thats how mines been setup since V15.

    Also if needed add a block rule for port 53 from LAN to WAN so no other devices can use any other DNS forwarder other than your XG itself or Block IPs of any IPs other than your specified IP of said device acting as your DNS forwarder then you wont get devices trying to use 8.8.8.8.  That is something ive found to help to prevent device DNS attempts block rules! Blocks or just dont add any rules that allow LAN to WAN dst port 53!!

    But yeah you are right it depends if you are going to use XG as your only DNS forwarder or if you want to have another device act as one instead, then NAT redirects are needed aswell as setting the Devices IP in DHCP as you mentioned.

    Im still waiting for the EAP of v18 with DoT or DoH feature built into the DNS forwarder feature, that is one feature im eagarly awaiting.  Yeah the DNS forwarder feature has been perfect for use as an edge DNS forwarder like mentioned earlier using DHCP & DNS & Device access settings along with a DNS block rule to prevent no other device than xg itself to do your DNS lookups / forwarding.  But as soon as Sophos add DOT or DOH to that too it will be icing on the cake! I just want my XG to do all this sort of stuff on my LAN so i dont need to use another device to do fuctions XG still cant yet!  Pihole ive not tried but i have looked at Adguard Home which does DOT & DOH now aswell as the usual filtering but XG can do that itself by loading filters into XGs web catagories and then add those into your web policies and you get filtering via the lists used in Adguard or Pihole etc....

    See this users brilliant Github page with converted filters that are made to go into XGs web catagories

    https://github.com/austinheap/sophos-xg-block-lists

    FYI the http links for some reason are broken but copy the https links and just paste the url into an XG web catogory but http not https and it works fine!!

    JK

Children
No Data