I have a VLAN (lets call it VLAN1) which routes traffic via a Wireguard VPN, achieved using an Option Table
I also have a Pi-Hole serving DNS requests on my other VLANs, using the VPN provider’s upstream DNS, via the VPN
What I want to achieve is that the VLAN members (VLAN1) who route via the VPN, get their DNS requests served by the Pi-Hole, so I can track DNS requests. Presently, the VLAN DNS requests go directly to the VPN provider’s DNS.
How do I force the DNS requests from VLAN1 to the local DNS server, rather than the VPN’s DNS?
e.g. for clarity
Current DNS requests VLAN1 (192.168.25.22) → 10.2.0.1
Desired DNS requests VLAN1(192.168.25.22) → 192.168.26.53 → 10.2.0.1
Add list dhcp_option '6,192.168.26.53' to the corresponding DHCP pool section (hardcoded DNS servers will not be bypassed). You will also need to create a permissive firewall traffic rule.
Option B:
Redirect all DNS requests originating from 192.168.25.0/24 to 192.168.26.53.
config redirect
option target 'DNAT'
option name 'DNS_Redirect'
option src '<zone>' # <-- correct source zone name here
option src_ip '192.168.25.0/24'
option src_dport '53'
option dest_ip '192.168.26.53'
I just double-checked my firewall rule for that VLAN and, rather than being configured to allow DNS traffic from VLAN1 to LAN(192.168.26.53), it was in fact set to allow DNS traffic from wan to LAN(192.168.26.53)
I have no idea how that happened, as the DNS rules for my other VLANs are all correct. Doh!
The redirect solution you offered in Option B, is that achievable in Luci? (I am not averse to editing config files, just curious)
In your screen grab of General Settings, Source zone would be the VLAN?
I didn’t realise you could use CIDR in these fields; I could use 192.168.24.0/21 to allow all subnets from 192.168.24 to 192.168.31 to access DNS, rather than doing these rules by source zone.
Thanks for your help Pavel. I must pay more attention when checking (and configuring) firewall rules.
