Been puzzled with an issue where i want to redirect all outbound dns requests from my lan to be redirected to my local dns servers.
DNS Server A: (192.168.1.250)
Host A: (192.168.1.1)
Reqests DNS for a.example.com on server 1.1.1.1
Vyos
For all DNS requests not originating from DNS Server A redirect to DNS Server A
I have been trying to get a DNAT working on this and i can see via tcpdump that the packet is hiting the dns server but the address doesnt seem to be translated.
TCP Dump on DNS Server A
11:21:20.073500 IP (tos 0x0, ttl 64, id 32060, offset 0, flags [none], proto UDP (17), length 66)
192.168.1.1.49206 > 1.1.1.1.53: [udp sum ok] 40640+ A? a.example.com. (38)
TCP Dump on VyOs [15x.18x.12x.15x is public ip]
11:21:20.073606 IP (tos 0x0, ttl 63, id 32060, offset 0, flags [none], proto UDP (17), length 66)
15x.18x.12x.15x.49206 > 192.168.1.1.53: [udp sum ok] 40640+ A? a.example.com. (38)
DNAT Rule: [fw-grp-adr-grp-dns-internal is 192.168.1.250]
vyos@vyos# show destination rule 20
destination {
port domain
}
inbound-interface eth1
log
protocol tcp_udp
source {
group {
address-group !fw-grp-adr-grp-dns-internal
}
}
translation {
address 192.168.1.250
options {
}
port domain
}
Hello @phasma,
Sorry for the wait.
For example, the working configuration from the network laboratory:
set firewall group address-group DNS address '172.16.0.250'
set firewall group address-group DNS address '172.16.0.251'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '172.16.0.1/24'
set nat destination rule 100 destination port 'domain'
set nat destination rule 100 inbound-interface 'eth1'
set nat destination rule 100 log
set nat destination rule 100 protocol 'tcp_udp'
set nat destination rule 100 source group address-group '!DNS'
set nat destination rule 100 translation address '172.16.0.250'
set nat destination rule 100 translation port 'domain'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address 'masquerade'
All internal requests to port 53 are translation to IP 172.16.0.250
Firewall is not used!
As client doing the DNS request and the internal server are on the same LAN, you need to add a sNAT rule for this traffic.
Without, the internal server replies directly, and DNS request isn’t translated back. So the client sends a request to 1.1.1.1 and gets reply back from 192.168.1.1 , which will be ignored.
I did manage to fix this although encountered a wierd bug on 1.4 where it was nating to a destination that wasnt even defined. The behaviour broke all understanding of how dnat/snat works and reverted to 1.3.2 and issue is sorted. Thanks for your reply.
If possible, can you please boot once again using 1.4 image and provide configuration rules for 1.4 that did not work as expected?
If there’s an error, it’s better to share it so it get fixed!
show config commands | grep net
sudo nft list table ip vyos_nat
If using firewall configuration, which may also need verification:
show config commands | grep firewall
sudo nft list table ip vyos_filter