Redirect DNS traffic with NAT rules

With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

I have configured a NAT rules like this, but still devices like Alexa still call directly to 8.8.8.8 bypassing the NAT rule and my DNS server.

Why the v17.5 it wasn't possible but I'm wondering if it's possible now the new NAT options.

This is what I have configured as a NAT rule but doesn't work

 

Possible solution

I believe the issue is your pihole is also getting caught in this rule: it tries to perform a DNS request, gets its own traffic destination DNAT'ed to itself, and fails to lookup (or performs a loop). Unfortunately there is not a "exception" original source for the DNAT rule. I just resolved this issue by having my pihole have a dedicated interface (a VLAN subinterface), and have the inbound interface be everything except the interface of the pihole.

I don't have "post reply" permissions for some reason, so I could not post a comment/reply to the issue thread.



h
[edited by: l0rdraiden at 11:59 AM (GMT -8) on 28 Nov 2020]
  • I use a DNS catch all for IoT devices with hard coded dns. Probably nothing wrong with letting them use whatever dns but I like to use my own instead of whatever the IoT is asking for. That is why I NAT all my dns traffic to XG. 
    OP is trying to get pretty graphs on pihole, not sure why he doesn't specify the dns settings in dhcp server since his pihole is in his LAN subnet.

  • I think he's trying to do exactly what you're doing:

    l0rdraiden said:

    With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

    I have no idea why his NAT rule doesn't work though. Seems like it should.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Yes you think you wouldn't have to MASQ traffic for local LAN but NAT doesn't work if you change destination to something else beside XG. I didn't test it much since my setup is different than his but if I remember correctly, previous versions were able to redirect traffic to LAN DNS servers without any problems. The way I tried to MASQ it back to LAN seems way too counter intuitive but it did work in my limited testing.

    EDIT: Moreover looking at my rule above, if you MASQ the traffic, it would come from XG and not the original IP as the OP is trying to do so the method would catch all and redirect but not what he is intending to do.