-
Log into unifi controller web UI
-
Go to Settings
-
Select Routing & Firewall
-
Select Firewall
-
Select Groups
-
Hit "Create new Group"
-
Enter all your DNS servers here you want to be allowed on the local LAN (Eg, mine is 10.0.1.1 - gateway, 10.0.1.14 - pi-hole)
-
Name this "Allowed DNS Servers"
-
Hit OK
-
SSH into the Gateway - NOT the CloudKey (username/password is whatever you set up)
-
do this: 'mca-ctrl -t dump-cfg > config.txt'
-
edit the new file, config.txt 'vi config.txt'
-
Look for something that has the description field:
"description": "customized-Allowed DNS Servers"
-
Write down/copy aside the key associated that (mine is: 5d50c3764fd01c0ad01a6938) This is the Group ID for your group
-
Now you need your 'interfaces' - meaning all your vlans and such.
-
The way to find out your interfaces is ssh into the gateway and issue:
show interfaces
Output is:Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 XX.X.XXX.XXX/22 u/u WAN eth1 10.0.1.1/24 u/u LAN eth1.2 10.0.2.1/24 u/u eth1.80 10.0.80.1/24 u/u eth1.90 10.0.90.1/24 u/u eth1.100 10.0.100.1/24 u/u eth2 - A/D eth3 - A/D eth4 - A/D eth5 - u/D eth6 - u/D eth7 - u/D eth8 - u/D lo 127.0.0.1/8 u/u ::1/128
-
Note down all the eth1, eth1.2, - eth1.100 for each active VLAN you care about doing this too (all?)
-
Either open up your config.json on the CloudKey or learn how to edit/make one here: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration
-
Copy this template for each of your VLANs/interfaces above to the nat/rule section
{ "nat": { "rule": { "1": { "description": "Redirect DNS requests", "destination": { "group": { "address-group": "!YOUR_GROUP_ID_FOR_DNS_SERVERS_HERE" }, "port": "53" }, "inbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1or eth1.90)", "inside-address": { "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)" }, "log": "enable", "protocol": "tcp_udp", "type": "destination" }, "5001": { "description": "Translate DNS to Internal", "destination": { "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)", "port": "53" }, "log": "disable", "outbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1 or eth1.90)", "protocol": "tcp_udp", "type": "masquerade" } } } }
-
Validate the json using the tool of your choice
-
Go back to Unifi Controller web app
-
Go to the devices tab
-
Select your USG
-
Hit Settings on it
-
Scroll down and find "Force Provision"
-
Pray and Profit
-
Great way to verify this is to: 'dig @1.1.1.1 redis.siliconspirit.net' where the address I'm looking up doesn't exist in a public space (just my local DNS)
-
-
Save terafin/2ee5b231cb36712b0d2b7dd32941c2ab to your computer and use it in GitHub Desktop.
@mostlychris did you find a way to forward to a group/list of servers rather than just one?
@korkmazk I used your idea to make it work but how do I check it with nslookup? What would be the right response? I want to force all traffic over my dns servers even if they are hardcoded.
{ "service": { "nat": { "rule": { "1": { "description": "Redirect DNS requests", "destination": { "group": { "address-group": "!62fbdc0cb2b1xxxxx576e1c" }, "port": "53" }, "inbound-interface": "eth1", "inside-address": { "address": "10.0.1.5;10.0.1.6;10.0.1.10", }, "log": "enable", "protocol": "tcp_udp", "type": "destination" }, "5001": { "description": "Translate DNS to Internal", "destination": { "address": "10.0.1.5;10.0.1.6;10.0.1.10", "port": "53" }, "log": "disable", "outbound-interface": "eth1", "protocol": "tcp_udp", "type": "masquerade" } } } } }
@korkmazk I used your idea to make it work but how do I check it with nslookup? What would be the right response? I want to force all traffic over my dns servers even if they are hardcoded.
{ "service": { "nat": { "rule": { "1": { "description": "Redirect DNS requests", "destination": { "group": { "address-group": "!62fbdc0cb2b1xxxxx576e1c" }, "port": "53" }, "inbound-interface": "eth1", "inside-address": { "address": "10.0.1.5;10.0.1.6;10.0.1.10", }, "log": "enable", "protocol": "tcp_udp", "type": "destination" }, "5001": { "description": "Translate DNS to Internal", "destination": { "address": "10.0.1.5;10.0.1.6;10.0.1.10", "port": "53" }, "log": "disable", "outbound-interface": "eth1", "protocol": "tcp_udp", "type": "masquerade" } } } } }
I have syslog enabled to synology so I saw a hit on the rule by a google home device and I checked with nslookup which I forced to use 8.8.8.8 to resolve an internal address and it did so I knew it was working and using my pihole where this internal address was defined. Otherwise the internal address would not be resolved as 8.8.8.8 doesnt know the internal ip of this host.
So the output for the nslookup of an internal address should resolve to an internal ip while forcing nslookup using an external dns.
I'm no network expert or so, there might be an easy way but this worked for me.
I had to disable my config because pi-hole started answering with 'refused' because my unifi was spamming the pihole to bits...
Under customized-Allowed DNS Servers i added my 3 pi-hole ip adresses (not the gateway).
This is my config:
{ "service": { "nat": { "rule": { "1": { "description": "Redirect DNS requests", "destination": { "group": { "address-group": "!62fbdc0cb2b13c0007576e1c" }, "port": "53" }, "inbound-interface": "eth1", "inside-address": { "address": "10.0.1.10" }, "log": "enable", "protocol": "tcp_udp", "type": "destination" }, "5001": { "description": "Translate DNS to Internal", "destination": { "address": "10.0.1.10", "port": "53" }, "log": "disable", "outbound-interface": "eth1", "protocol": "tcp_udp", "type": "masquerade" } } } } }
Ideas?
What might help: go to pihole settings > DNS > interface settings and check Permit all origins option.
Make sure your read the warning!
The NAT masquerade rule is unnecessary. To prevent redirecting your DNS server's requests to itself, you can simply add a "source"
rule for the subnet that the DNS server is present on (you also don't need an address group). Note that config.json doesn't accept comments, they're just here for explanation.
{
"service": {
"nat": {
"rule": {
"1": {
"description": "Redirect DNS requests",
"destination": {
"port": "53"
},
"source": {
// Don't send DNS traffic back to the server
"address": "!YOUR_IP_FOR_DNS_SERVER_HERE/32"
},
"inbound-interface": "eth1",
"inside-address": {
"address": "YOUR_IP_FOR_DNS_SERVER_HERE",
"port": "53"
},
"log": "enable",
"protocol": "tcp_udp",
"type": "destination"
},
// Other subnets do not need the source rule
"2": {
"description": "Redirect DNS requests",
"destination": {
"port": "53"
},
"inbound-interface": "eth1.2",
"inside-address": {
"address": "YOUR_IP_FOR_DNS_SERVER_HERE",
"port": "53"
},
"log": "enable",
"protocol": "tcp_udp",
"type": "destination"
}
}
}
}
}
Can a port group be used to capture anything thats not going out on port 53?
AFAIK, you can add two addresses if you separate them with a dash.