Solved pf NAT with local DNS server

JohnnySorocil

Member

Reaction score: 11
Messages: 74

Is it possible to have NAT but to use local DNS server (unbound) on one host?

I have a FreeBSD router which is connected to Internet. Clients connects to that router via another WLAN interface. That works fine.
Buy I am trying to use unbound daemon run on that router to do some basic filtering. That works fine but only from that router. WLAN clients can't use that DNS server.

Best I can do is to redirect DNS to another external DNS in pf.conf:
Code:
rdr log on $int_if inet proto {tcp, udp} from any to any port domain -> 1.1.1.1


If I try to redirect it to 127.0.0.1 or 192.168.11.1 (address of the router, unbound listen on that address and on 127.0.0.1) and issue "ping www.opendns.org":
Code:
pf.conf:
rdr pass log on $int_if proto {tcp, udp} from any to any port domain -> 127.0.0.1
rdr pass log on $int_if proto {tcp, udp} from any to any port domain -> 192.168.11.1

pflog:
00:00:12.880126 rule 1/0(match): rdr in on wlan0: 192.168.11.2.64436 > 127.0.0.1.53: 47724+ A? www.opendns.org. (33)

unbound.log:
- nothing
Is that possible with pf?
Redirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself.
PF can not redirect traffic that originates from the host itself because the routing decision for the traffic has been already made by the time it gets to the filter. It's a FreeBSD specific limitation that does not exist on OpenBSD's PF for example.
Can I use alias on the interface and then redirect? Something else?
 

VladiBG

Aspiring Daemon

Reaction score: 313
Messages: 747

Instead of redirect it's better to use DHCP to give the clients the DNS settings that you want and deny all other DNS servers for the LAN. This will force all clients to use only your DNS service unless they are making some VPN to outside.
 

mickey

Aspiring Daemon

Reaction score: 146
Messages: 516

I believe your problem is not with pf but rather with unbound only listening on the local loopback interface thus providing it's service to the local machine only.
Section 29.7.2 DNS Server Configuration of the FreeBSD handbook states:
Unbound is provided in the FreeBSD base system. By default, it will provide DNS resolution to the local machine only. While the base system package can be configured to provide resolution services beyond the local machine, it is recommended that such requirements be addressed by installing Unbound from the FreeBSD Ports Collection.
In order to provide DNS services to your network you would need to configure unbound to also isten on your LAN/WLAN interfaces. Your pf needs to pass DNS traffic destined to your LAN/WLAN interfaces, and if you want to enforce use of your on-site DNS server it should block any DNS traffic originating from your LAN/WLAN and destined to any other address than your DNS server. And as VladiBG already pointed out, your clients should be configured to use your on-site DNS server by means of DHCP.
 
OP
JohnnySorocil

JohnnySorocil

Member

Reaction score: 11
Messages: 74

Thanks for the replies!
Problem was in my configuration of unbound, I missed part with allowing clients to make queries to my DNS:
Code:
access-control: 192.168.1.0/24 allow
After adding that part and restarting DNS server, it is working as intended :)
 
Top