Destination NAT with DNS Rewrite

jbhardman · February 15, 2023, 4:43pm

Does Vyos have the ability to do destination nat, and rewrite the response source?

Example: Configure Destination NAT with DNS Rewrite

I have Roku’s that insist on pinging Google DNS. Without it, they say they are offline, even if they are not.

So, I wrote a DNAT rule to redirect their Google DNS traffic to my internal pihole. That seems to be working, as I see it in the log matching the rule:

# show nat destination rule 8888
description "Redirecting Google DNS Traffic"
destination {
address 8.8.8.8
port 53
}
inbound-interface any
log
protocol udp
source {
address 10.0.0.200
}
translation {
address 10.88.0.2
port 53
}

However, the Roku continues to try over and over. Something it does not do when I just let it go out to Google naturally. So I think that it’s not getting the answer it’s looking for.

I’m wondering, if it’s because of what I linked above. Do I need to rewrite the response packet that is coming from my internal pihole (10.88.0.2), and make it look like it came from Google (8.8.8.8)?

But I can’t come up with the S-NAT rule. Where I’m stuck is, I only want the response to be altered if the original request was to 8.8.8.8. But at the time of response (inside S-NAT), I don’t think I can know that. So, it ends up rewriting all packets to come from 8.8.8.8, which is not what I want. Only packets that were sent there in the first place.

Thank you!

jbhardman · February 15, 2023, 8:49pm

@16again , I see you posted about this on a recent thread here: DNS Internal NAT - #7 by RyVolodya

Do you know how I can source translate only packets that were destination translated to begin with?

Korikaze · February 15, 2023, 9:04pm

You probably need a source NAT rule for the response from your DNS server.

Y-ASK · February 15, 2023, 11:33pm

So trying to follow some of the issues going on here, from a previous post you have a rule set to have all DNS traffic sent to your pi-hole and that the Roku’s DNS traffic is sent there as well. Because it’s the pi-hole address that gets put into the reply to Roku, the device doesn’t accept it as coming from Google. If that is the case then why not write a rule (that gets hit before the DNS forwarding rule) that takes all Roku DNS traffic and forwards it directly to Google.

Y-ASK

16again · February 18, 2023, 11:12pm

On the LAN, you need a masquerade (sNAT rule)
If you only want to have it kick in for redirected DNS request, filter on sourceIP=LAN subnet , destinationIP=Pihole , destPort=53.

btw: Only initial packet sent through the firewall will create a conntrack entry. Subsequent packets don’t use NAT rules but existing conntrack entry.
So if something on your LAN opens a website, the masquerade rule on LAN interface will never kick in.