Hello all,
I am trying to force all DNS requests to go to my own Adguard Home container running on 192.168.1.20 on port 53.
I know it is at least partially working because I blocked apple.com as a test and when I did an nslookup apple.com 1.1.1.1
I got 0.0.0.0 so I know that's AGH replying.
If I disable the NA5. T rule I simply get :
C:\Windows\system32>nslookup apple.com 1.1.1.1
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 1.1.1.1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
Also, when enabled, the request is logged against the router address i.e. 192.168.1.1 instead of my own which is 192.168.1.50.
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Redirect-lan-DNS'
option src 'lan'
option src_dport '53'
option dest_ip '192.168.1.20'
option dest_port '53'
option src_ip '!192.168.1.20'
option family 'ipv4'
config nat
option name 'Prevents hardcoded DNS clients'
list proto 'tcp'
list proto 'udp'
option src '*'
option dest_ip '192.168.1.20'
option dest_port '53'
option target 'MASQUERADE'
config rule
option name 'Deny_DoT_853'
option src '*'
option dest_port '853'
option target 'DROP'
list src_ip '!192.168.1.20'
option dest 'wan'
config rule
option name 'Deny_ipv6_DNS_53'
option family 'ipv6'
option src '*'
option dest_port '53'
option target 'DROP'
Could someone please help with the following:
- Are these rules all I need to effectively force all DNS requests to my AGH?
- Why does it not work when I disable the NAT rule?
- Why does it show the router address instead of my address in the logs when the NAT rule is enabled? Is this something that can be corrected?
- Is there a way/tool for me to sort of debug the FW rules or workout the traffic route through the FW?
Thank you in advance