{"id":146,"date":"2021-10-23T21:14:45","date_gmt":"2021-10-23T19:14:45","guid":{"rendered":"http:\/\/cln.io\/blog\/?p=146"},"modified":"2022-12-01T01:04:32","modified_gmt":"2022-11-30T23:04:32","slug":"forcing-dns-requests-over-internal-dns-server-with-a-firewall","status":"publish","type":"post","link":"https:\/\/cln.io\/blog\/forcing-dns-requests-over-internal-dns-server-with-a-firewall\/","title":{"rendered":"Forcing DNS requests over AdGuard \/ Pi-hole with an Ubiquiti EdgeRouter firewall"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">With NAT Masquerades and DNAT rules.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On this page<\/p>\n\n\n\n<nav aria-label=\"Table of Contents\" class=\"wp-block-table-of-contents\"><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/forcing-dns-requests-over-internal-dns-server-with-a-firewall\/#my-setup\">My setup<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/forcing-dns-requests-over-internal-dns-server-with-a-firewall\/#what-we-are-trying-to-do\">What we are trying to do<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/forcing-dns-requests-over-internal-dns-server-with-a-firewall\/#demo-trying-to-bypass-our-dns-server-with-and-without-firewall-rule\">DEMO: Trying to bypass our DNS server with and without firewall rule<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/forcing-dns-requests-over-internal-dns-server-with-a-firewall\/#setting-up-the-firewall-rule-s\">Setting up the firewall rule(s)<\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/forcing-dns-requests-over-internal-dns-server-with-a-firewall\/#source-nat-rule\">Source NAT rule<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/forcing-dns-requests-over-internal-dns-server-with-a-firewall\/#destination-nat-rule\">Destination NAT rule<\/a><\/li><\/ol><\/li><\/ol><\/nav>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"my-setup\">My setup<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>I have an EdgeRouter 4 sitting on 192.168.1.1<\/li>\n\n\n\n<li>I have an adguard instance on 192.168.1.4<\/li>\n\n\n\n<li>DHCP is done by the EdgeRouter<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-we-are-trying-to-do\">What we are trying to do<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Some devices use hardcoded\/forced DNS servers, so they do not follow the DHCP DNS information.<br>be that a google related app, or an IoT device that&#8217;s stubborn.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By using some clever firewall rules we can force all the devices that are not our DNS server ( AdGuard \/ Pi-Hole )  to be &#8220;redirected&#8221; towards our internal DNS server(s)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"demo-trying-to-bypass-our-dns-server-with-and-without-firewall-rule\">DEMO: Trying to bypass our DNS server with and without firewall rule<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To show the effect of our firewall rule, we do a dig before the rule is active.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">dig doubleclick.net @1.1.1.1\n\n;; ANSWER SECTION:\ndoubleclick.net.        209     IN      A       142.251.36.46<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"489\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_bypassing_dns_server.png\" alt=\"\" class=\"wp-image-155\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_bypassing_dns_server.png 834w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_bypassing_dns_server-300x176.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_bypassing_dns_server-768x450.png 768w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We see that by manually defining our DNS server (@1.1.1.1) we can bypass our DNS server<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If we enable our firewall rule, this request will now be re-routed, forced over our internal DNS<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">dig doubleclick.net @1.1.1.1\n\n;; ANSWER SECTION:\ndoubleclick.net.        10      IN      A       0.0.0.0<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"489\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_forced_over_dns_server_annotated.png\" alt=\"\" class=\"wp-image-159\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_forced_over_dns_server_annotated.png 834w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_forced_over_dns_server_annotated-300x176.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/dig_forced_over_dns_server_annotated-768x450.png 768w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"setting-up-the-firewall-rule-s\">Setting up the firewall rule(s)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need a DNS masquerade rule (Source NAT)<\/li>\n\n\n\n<li>We need a DNAT rule (Destination NAT)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Log in on the UBNT device, go to &#8220;Firewall\/NAT&#8221; &gt; &#8220;NAT&#8221; tab on top<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"789\" height=\"224\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/firefox_PWkVJrUMmQ.png\" alt=\"\" class=\"wp-image-162\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/firefox_PWkVJrUMmQ.png 789w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/firefox_PWkVJrUMmQ-300x85.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/firefox_PWkVJrUMmQ-768x218.png 768w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"source-nat-rule\">Source NAT rule<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The outbound interface must be your internal interface.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">eth0 is my WAN<br>eth1 is my LAN<br>The Src Address is everything but my DNS server itself.<br>If you have multiple DNS server you can set them with !192.168.1.4-192.168.1.5<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"486\" height=\"718\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/snat_rule.png\" alt=\"\" class=\"wp-image-163\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/snat_rule.png 486w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/10\/snat_rule-203x300.png 203w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"destination-nat-rule\">Destination NAT rule<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"486\" height=\"741\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/11\/dnat_rule.png\" alt=\"\" class=\"wp-image-206\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/11\/dnat_rule.png 486w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2021\/11\/dnat_rule-197x300.png 197w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Disable logging after testing, to prevent the FW from filling up \/ wasting r\/w cycles.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you enable logging, you can drill down to find what device is not using your DNS, or check the rule counters<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That&#8217;s it!<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"747\" height=\"1024\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/harmen-jelle-van-mourik-oSvK_3jlXGs-unsplash-747x1024.jpg\" alt=\"\" class=\"wp-image-1208\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/harmen-jelle-van-mourik-oSvK_3jlXGs-unsplash-747x1024.jpg 747w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/harmen-jelle-van-mourik-oSvK_3jlXGs-unsplash-219x300.jpg 219w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/harmen-jelle-van-mourik-oSvK_3jlXGs-unsplash-768x1052.jpg 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/harmen-jelle-van-mourik-oSvK_3jlXGs-unsplash-1121x1536.jpg 1121w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/harmen-jelle-van-mourik-oSvK_3jlXGs-unsplash-1495x2048.jpg 1495w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/harmen-jelle-van-mourik-oSvK_3jlXGs-unsplash-scaled.jpg 1868w\" sizes=\"auto, (max-width: 747px) 100vw, 747px\" \/><figcaption class=\"wp-element-caption\">Photo by <a href=\"https:\/\/unsplash.com\/@jelleharmen?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\" target=\"_blank\" rel=\"noreferrer noopener\">Harmen Jelle van Mourik<\/a> on <a href=\"https:\/\/unsplash.com\/s\/photos\/border?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\" target=\"_blank\" rel=\"noreferrer noopener\">Unsplash<\/a>   <\/figcaption><\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>With NAT Masquerades and DNAT rules. On this page My setup What we are trying to do Some devices use hardcoded\/forced DNS servers, so they do not follow the DHCP DNS information.be that a google [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":202,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,27],"tags":[],"class_list":["post-146","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it","category-privacy"],"_links":{"self":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/comments?post=146"}],"version-history":[{"count":9,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/146\/revisions"}],"predecessor-version":[{"id":1209,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/146\/revisions\/1209"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media\/202"}],"wp:attachment":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media?parent=146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/categories?post=146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/tags?post=146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}