Skip to content

Instantly share code, notes, and snippets.

@korkmazk

korkmazk/UniFi USG DNS Redirect Setup.md

Forked from terafin/UniFi USG DNS Redirect Setup.md
Last active January 5, 2022 13:00
Show Gist options
  • Save korkmazk/91cb288548c8e427ffbc0dfb7527ad03 to your computer and use it in GitHub Desktop.
Save korkmazk/91cb288548c8e427ffbc0dfb7527ad03 to your computer and use it in GitHub Desktop.
Download ZIP
UniFi USG DNS Redirect Setup
Raw
UniFi USG DNS Redirect Setup.md

  1. Log into unifi controller web UI

  2. Go to Settings

  3. Search for "Firewall" and click on ""Add New Firewall Group

  4. Enter all your DNS servers here you want to be allowed on the local LAN (Eg, mine is 10.0.1.1 - gateway, 10.0.1.14 - pi-hole)

  5. Name this "Allowed DNS Servers"

  6. Hit OK

  7. SSH into the Gateway - NOT the CloudKey (username/password is whatever you set up)

  8. do this: 'mca-ctrl -t dump-cfg > config.txt'

  9. edit the new file, config.txt 'vi config.txt'

  10. Look for something that has the description field: "description": "customized-Allowed DNS Servers"

  11. Write down/copy aside the key associated that (mine is: 5d50c3764fd01c0ad01a6938) This is the Group ID for your group

  12. Now you need your 'interfaces' - meaning all your vlans and such.

  13. The way to find out your interfaces is ssh into the gateway and issue: show interfaces Output is:

    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         XX.X.XXX.XXX/22                   u/u  WAN                         
eth1         10.0.1.1/24                       u/u  LAN                         
eth1.2       10.0.2.1/24                       u/u                              
eth1.80      10.0.80.1/24                      u/u                              
eth1.90      10.0.90.1/24                      u/u                              
eth1.100     10.0.100.1/24                     u/u                              
eth2         -                                 A/D                              
eth3         -                                 A/D                              
eth4         -                                 A/D                              
eth5         -                                 u/D                              
eth6         -                                 u/D                              
eth7         -                                 u/D                              
eth8         -                                 u/D                              
lo           127.0.0.1/8                       u/u                              
             ::1/128

  14. Note down all the eth1, eth1.2, - eth1.100 for each active VLAN you care about doing this too (all?)

  15. Either open up your config.json on the CloudKey or learn how to edit/make one here: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration

  16. Copy this template for each of your VLANs/interfaces above to the nat/rule section

{ "service":{ "nat":{ "rule":{ "1":{ "description":"Redirect DNS requests", "destination":{ "group":{ "address-group":"!YOUR_GROUP_ID_FOR_DNS_SERVERS_HERE" }, "port":"53" }, "inbound-interface":"YOUR_UNIX_INTERFACE_HERE (eg: eth1 or eth1.90)", "inside-address":{ "address":"YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)" }, "log":"enable", "protocol":"tcp_udp", "type":"destination" }, "5001":{ "description":"Translate DNS to Internal", "destination":{ "address":"YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)", "port":"53" }, "log":"disable", "outbound-interface":"YOUR_UNIX_INTERFACE_HERE (eg: eth1 or eth1.90)", "protocol":"tcp_udp", "type":"masquerade" } } } } } ```

  1. Validate the json using the tool of your choice
  2. Go back to Unifi Controller web app
  3. Go to the devices tab
  4. Select your USG
  5. Hit Settings on it
  6. Scroll down and find "Force Provision"
  7. Pray and Profit
  8. Great way to verify this is to: 'dig @1.1.1.1 redis.siliconspirit.net' where the address I'm looking up doesn't exist in a public space (just my local DNS)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment