Blocked that hard-coded google dns garbage.
I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it. I don’t have an OPNSense firewall but I would think it should be able to do that as well.
I suspect DoT and DoH still go through, though? I mean you can always block the port 853 for DoT, but DoH is another story.
That’s correct. I block DoT in my firewall and block known DoH domains in piHole. I’m sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.
Traditional DNS over UDP/53 is insecure but I’m using ProtonVPN’s DNS server over VPN externally so I’m not worried about that.
I see. I may try to do something similar but towards Unbound on my OPNSense router, if that’s possible.
I’ve blocked outgoing port 53 udp/tcp for all subnet except pi-hole. If I can’t trust a device to use the DNS I configured I can’t trust it to go on the internet, and it goes on my list of devices to replace.
+1 for dst nat on googles dns servers back to my piholes
Hey man, can you share some resources that you followed to configure Opnsense as VM. I am in the same situation, bought a firewall, that I want to use as a hypervisor but didn’t configure yet the Opnsense and would love to educate myself more on the matter.
I setup a NAT rule that redirects anything going to the Google DNS IP’s send sends it to my own DNS server.
I did that for anything on port 53.
I can’t recall if I limited to Google’s IP’s or not actually. Just that I wanted to prevent their devices from ignoring the DHCP provided hosts
TIL that dns uses udp instead of tcp
https://www.geeksforgeeks.org/why-does-dns-use-udp-and-not-tcp/
One more confusion: If DNSSEC is enabled it actually switches to TCP, since DNSSEC requires messages that are much bigger than what UDP can transfer.
