Hey all, recent convert from pfSense. I’m trying to make sure only the DNS servers I’ve defined are being used for lookups? I’m using Unbound and noticing a lot of traffic on port 53 to destinations other than the ones I’ve put in.
Hey all, recent convert from pfSense. I’m trying to make sure only the DNS servers I’ve defined are being used for lookups? I’m using Unbound and noticing a lot of traffic on port 53 to destinations other than the ones I’ve put in.
Each network is different. I did this for my network which has multiple subnets and internal DNS servers sitting on the “server” subnet. The “server” subnet is excluded, since devices in there are more tightly controlled (and it would create a routing loop).
Granted, it may not be the best way, but here is how I did it:
Since NAT port forward rules are processed before interface/network rules, any device using port 53 for DNS (regardless of the IP address they have set) will automatically (and transparently) get redirected to my PiHole servers. The drops are in place so devices that try to use other common DNS methods are blocked. Generally, those devices will then default to the DHCP DNS servers.
I have been running this config for a few years and have found a few downsides:
Hope this helps! And remember to be careful when messing with DNS and clear those caches when testing.