Redirect DNS traffic with NAT rules

l0rdraiden said:

With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

I have configured a NAT rules like this, but still devices like Alexa still call directly to 8.8.8.8 bypassing the NAT rule and my DNS server.

Why the v17.5 it wasn't possible but I'm wondering if it's possible now the new NAT options.

This is what I have configured as a NAT rule but doesn't work

 

 

This rule will work if you MASQ the translated source. If you want pretty pihole graphs, then use your rule otherwise use the rule that Casual_User posted and then point your XG to your pihole in DNS settings under configure network->DNS. 

Regards

So why do you say my rule it will work if I MASQ the traslated source?

My rule doesn't work and I would like to have the detail in pihole from which original IP the request is comming.

If I use what casual_user did all the request will come from XG to my Pihole.

So, it is possible to do what I am trying to do?, I have it configure but I don't see the requests in pihole, and Sophos logs are empty which is a bad joke considering this is an enterprise grade firewall.

Ok, you probably have your Pi-Hole in your LAN network. I was assuming it was in WAN network since sophos is not my edge firewall in the lab and my pi-hole is WAN for my setup... The difference being I already have a firewall rule to allow traffic to WAN... no big deal. Since you are masquerading traffic with NAT rule you have to setup a firewall rule to allow that traffic back into LAN

Here are the steps

1 Create a firewall allow src zone lan destination zone lan service DNS 

Then use your pihole NAT rule with MASQ

Unless you’re running different subnets within a LAN zone, I’m not sure what the purpose of a LAN to LAN firewall rule is. MASQ shouldn’t be required either.

I’m pretty sure the op is just running a typical setup with PiHole in the same subnet as his devices. No idea why the rule the op posted doesn’t work. Perhaps try setting the interface matching to Any? It could very well be an issue with v18.

I use a DNS catch all for IoT devices with hard coded dns. Probably nothing wrong with letting them use whatever dns but I like to use my own instead of whatever the IoT is asking for. That is why I NAT all my dns traffic to XG. 
OP is trying to get pretty graphs on pihole, not sure why he doesn't specify the dns settings in dhcp server since his pihole is in his LAN subnet.

I think he's trying to do exactly what you're doing:

l0rdraiden said:

With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

I have no idea why his NAT rule doesn't work though. Seems like it should.

Yes you think you wouldn't have to MASQ traffic for local LAN but NAT doesn't work if you change destination to something else beside XG. I didn't test it much since my setup is different than his but if I remember correctly, previous versions were able to redirect traffic to LAN DNS servers without any problems. The way I tried to MASQ it back to LAN seems way too counter intuitive but it did work in my limited testing.

EDIT: Moreover looking at my rule above, if you MASQ the traffic, it would come from XG and not the original IP as the OP is trying to do so the method would catch all and redirect but not what he is intending to do.

Yes you think you wouldn't have to MASQ traffic for local LAN but NAT doesn't work if you change destination to something else beside XG. I didn't test it much since my setup is different than his but if I remember correctly, previous versions were able to redirect traffic to LAN DNS servers without any problems. The way I tried to MASQ it back to LAN seems way too counter intuitive but it did work in my limited testing.

EDIT: Moreover looking at my rule above, if you MASQ the traffic, it would come from XG and not the original IP as the OP is trying to do so the method would catch all and redirect but not what he is intending to do.