Redirect DNS traffic with NAT rules

With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

I have configured a NAT rules like this, but still devices like Alexa still call directly to 8.8.8.8 bypassing the NAT rule and my DNS server.

Why the v17.5 it wasn't possible but I'm wondering if it's possible now the new NAT options.

This is what I have configured as a NAT rule but doesn't work

 

Possible solution

I believe the issue is your pihole is also getting caught in this rule: it tries to perform a DNS request, gets its own traffic destination DNAT'ed to itself, and fails to lookup (or performs a loop). Unfortunately there is not a "exception" original source for the DNAT rule. I just resolved this issue by having my pihole have a dedicated interface (a VLAN subinterface), and have the inbound interface be everything except the interface of the pihole.

I don't have "post reply" permissions for some reason, so I could not post a comment/reply to the issue thread.



h
[edited by: l0rdraiden at 11:59 AM (GMT -8) on 28 Nov 2020]
Parents
  • l0rdraiden said:

    With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

    I have configured a NAT rules like this, but still devices like Alexa still call directly to 8.8.8.8 bypassing the NAT rule and my DNS server.

    Why the v17.5 it wasn't possible but I'm wondering if it's possible now the new NAT options.

    This is what I have configured as a NAT rule but doesn't work

     

     

    This rule will work if you MASQ the translated source. If you want pretty pihole graphs, then use your rule otherwise use the rule that  posted and then point your XG to your pihole in DNS settings under configure network->DNS. 

    Regards

  • So why do you say my rule it will work if I MASQ the traslated source?

    My rule doesn't work and I would like to have the detail in pihole from which original IP the request is comming.

    If I use what casual_user did all the request will come from XG to my Pihole.

     

    So, it is possible to do what I am trying to do?, I have it configure but I don't see the requests in pihole, and Sophos logs are empty which is a bad joke considering this is an enterprise grade firewall.

  • Ok, you probably have your Pi-Hole in your LAN network. I was assuming it was in WAN network since sophos is not my edge firewall in the lab and my pi-hole is WAN for my setup... The difference being I already have a firewall rule to allow traffic to WAN... no big deal. Since you are masquerading traffic with NAT rule you have to setup a firewall rule to allow that traffic back into LAN

    Here are the steps

    1 Create a firewall allow src zone lan destination zone lan service DNS 

    Then use your pihole NAT rule with MASQ

  • Unless you’re running different subnets within a LAN zone, I’m not sure what the purpose of a LAN to LAN firewall rule is. MASQ shouldn’t be required either.

    I’m pretty sure the op is just running a typical setup with PiHole in the same subnet as his devices. No idea why the rule the op posted doesn’t work. Perhaps try setting the interface matching to Any? It could very well be an issue with v18.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • I use a DNS catch all for IoT devices with hard coded dns. Probably nothing wrong with letting them use whatever dns but I like to use my own instead of whatever the IoT is asking for. That is why I NAT all my dns traffic to XG. 
    OP is trying to get pretty graphs on pihole, not sure why he doesn't specify the dns settings in dhcp server since his pihole is in his LAN subnet.

  • I think he's trying to do exactly what you're doing:

    l0rdraiden said:

    With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

    I have no idea why his NAT rule doesn't work though. Seems like it should.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Yes you think you wouldn't have to MASQ traffic for local LAN but NAT doesn't work if you change destination to something else beside XG. I didn't test it much since my setup is different than his but if I remember correctly, previous versions were able to redirect traffic to LAN DNS servers without any problems. The way I tried to MASQ it back to LAN seems way too counter intuitive but it did work in my limited testing.

    EDIT: Moreover looking at my rule above, if you MASQ the traffic, it would come from XG and not the original IP as the OP is trying to do so the method would catch all and redirect but not what he is intending to do.

Reply
  • Yes you think you wouldn't have to MASQ traffic for local LAN but NAT doesn't work if you change destination to something else beside XG. I didn't test it much since my setup is different than his but if I remember correctly, previous versions were able to redirect traffic to LAN DNS servers without any problems. The way I tried to MASQ it back to LAN seems way too counter intuitive but it did work in my limited testing.

    EDIT: Moreover looking at my rule above, if you MASQ the traffic, it would come from XG and not the original IP as the OP is trying to do so the method would catch all and redirect but not what he is intending to do.

Children
No Data