DNS Proxy/Cache forward to local host
Hello,
I'm not really satisfied with the current DNS feature set and lack of customization of DNS Proxy/cache so I'm exploring different solutions.
As I would deploy a local DNS server, would it be possible to use the DNS proxy feature to redirect all queries directed to GW to a specific local DNS server?
My target is to avoid to manually configure or change the DNS server in DHCP, I would like devices to always get the ER8411 as DNS server and let it forward to upstream (local).
Eventually, would it be possible to NAT masquerade all DNS requests in LANs, redirecting all port 53 to a local host? I was using this setup on pfSense to enforce the use of my custom/local DNS even if CPEs had hardcoded DNS configuration.
Thank you.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Trying to setup a NAT rule to forward all traffic :53 to a specific local host but seems to not be possible on the current Omada configuration.
Please allow to set an internal port/VLAN in NAT configuration:
Target configuration:
https://psychogun.github.io/docs/opnsense/Redirect-DNS-to-internal-DNS/
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Here's the screenshot. The ports available are the only ones set as WAN, not LAN/internal VLANs.
Please do note I found a way to let the ER8411 to proxy DNS requests internally, even if not officially implemented. DNS Proxy > DNSSEC > Forward to internal IP address > Bogus Replies = Pass .
- Copy Link
- Report Inappropriate Content
Hi @Bianco8
You wanna port forward a local DNS server and use it as if it's a public IP, and ultimately achieving the forward to this public IP for all upstream queries from the router?
Is this what you want?
Would love to hear from you with more details.
- Copy Link
- Report Inappropriate Content
Hello @Clive_A ,
No, I want to perform internal NAT translation to enforce traffic (in my case TCP/UDP on port 53 or else).
The target is:
- Device performs traffic to DST-IP any, port 53
- GW receives this traffic
- GW performs internal NAT of traffic port 53, by replacing the DST-IP to a chosen one (internal/external).
You can see a similar setup configured on OPNsense here: https[dot]//homenetworkguy[dot]com/how-to/redirect-all-dns-requests-to-local-dns-resolver/ .
In this way, the DNS in LAN/VLAN is enforced.
No device can perform traffic (in this case DNS) to a different/external IP address and this is transparent to the device itself.
At DNS level, the device querying for a DNS lookup will always get the DNS reply and it will get it from the expected source, but actually the GW is performing internal NAT so the query is forwarded to the configured upstream/IP.
With this setup, there is no need of firewall ACL to block traffic (again, ex. DNS port 53) on any IP besides the enforced one. There is no breakage as any client will be able to query any IP but will be actually replied by the configured IP, transparently.
- Copy Link
- Report Inappropriate Content
Hi @Bianco8
Thanks for posting in our business forum.
Bianco8 wrote
Hello @Clive_A ,
No, I want to perform internal NAT translation to enforce traffic (in my case TCP/UDP on port 53 or else).
The target is:
- Device performs traffic to DST-IP any, port 53
- GW receives this traffic
- GW performs internal NAT of traffic port 53, by replacing the DST-IP to a chosen one (internal/external).
You can see a similar setup configured on OPNsense here: https[dot]//homenetworkguy[dot]com/how-to/redirect-all-dns-requests-to-local-dns-resolver/ .
In this way, the DNS in LAN/VLAN is enforced.
No device can perform traffic (in this case DNS) to a different/external IP address and this is transparent to the device itself.
At DNS level, the device querying for a DNS lookup will always get the DNS reply and it will get it from the expected source, but actually the GW is performing internal NAT so the query is forwarded to the configured upstream/IP.
With this setup, there is no need of firewall ACL to block traffic (again, ex. DNS port 53) on any IP besides the enforced one. There is no breakage as any client will be able to query any IP but will be actually replied by the configured IP, transparently.
I reviewed the whole thing, I don't think we can do it. Simple answer is no.
We are not the OPNsense or any of the open-source platforms where you can have a versatile firewall or NAT rules. But forwarding the query to the local DNS server should be a function we already support as you can specify the DNS server internally in (V)LAN.
In any case, simply put the DNS IP in the most convenient way to do it. I read the article you shared but you still gonna repeat the same step afterward when you create new interfaces.
And most importantly, what the guide sets is to force all the DNS resolution to the router itself. It still gonna leak anyway because the router queries the domains if it cannot resolve it. Upstream server is needed.
It is a basic config for the IPtables to forward everything locally to 127.0.0.1 which is the router.
The router still needs an upstream server. Do you verify that it can set a local IP in the upstream and resolve everything correctly?
- Copy Link
- Report Inappropriate Content
Hello @Clive_A ,
My point in raising this thread is to forward you a suggest/improvement for the Omada gateway platform, not a critic.
Of course, I can set DNS to clients via DHCP or manually set it. The point here is different and partly covered by a workaround:
- Setting DNS on DHCP does not guarantee that devices will stick to it. Devices might use hardcoded IPs.
- If I can choose secure internet upstreams in DNS Proxy, I would expect the ability to specificy a plain internal DNS upstream in DNS Proxy (NOT at endpoint/DHCP level). At the moment custom DNSs can be set only on WAN connections.
- With this setup, I can have the DNS server in VLAN 1 and DNS Proxy forwards all queries from any VLAN with destination ER8411 (in any VLAN) to my DNS.
My current setup, to bypass these limits is:
Devices in VLAN1 Management/VLAN2 Guest/VLAN3 IOT/VLAN4 Operations ---> DNS pointing to GW 192.168.1/2/3/4.1 ---> GW forwards queries via DNS Proxy to DNS Server in VLAN 1.
This is also the standard behavior for DNS Proxy. What I luckily found is that I can set a private IP address (I can set any IP I prefer), in DNS Proxy with DNSSEC (Bogus reply = PASS). I don't think this feature was expected, but with this setup I can let the ER8411 to forward to DNS (from any VLAN), to a specific plain DNS server (again, in 1 specific management VLAN).
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 357
Replies: 7
Voters 0
No one has voted for it yet.