-
Log into unifi controller web UI
-
Go to Settings
-
Select Routing & Firewall
-
Select Firewall
-
Select Groups
-
Hit "Create new Group"
-
Enter all your DNS servers here you want to be allowed on the local LAN (Eg, mine is 10.0.1.1 - gateway, 10.0.1.14 - pi-hole)
-
Name this "Allowed DNS Servers"
-
Hit OK
-
SSH into the Gateway - NOT the CloudKey (username/password is whatever you set up)
-
do this: 'mca-ctrl -t dump-cfg > config.txt'
-
edit the new file, config.txt 'vi config.txt'
-
Look for something that has the description field:
"description": "customized-Allowed DNS Servers" -
Write down/copy aside the key associated that (mine is: 5d50c3764fd01c0ad01a6938) This is the Group ID for your group
-
Now you need your 'interfaces' - meaning all your vlans and such.
-
The way to find out your interfaces is ssh into the gateway and issue:
show interfacesOutput is:Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 XX.X.XXX.XXX/22 u/u WAN eth1 10.0.1.1/24 u/u LAN eth1.2 10.0.2.1/24 u/u eth1.80 10.0.80.1/24 u/u eth1.90 10.0.90.1/24 u/u eth1.100 10.0.100.1/24 u/u eth2 - A/D eth3 - A/D eth4 - A/D eth5 - u/D eth6 - u/D eth7 - u/D eth8 - u/D lo 127.0.0.1/8 u/u ::1/128 -
Note down all the eth1, eth1.2, - eth1.100 for each active VLAN you care about doing this too (all?)
-
Either open up your config.json on the CloudKey or learn how to edit/make one here: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration
-
Copy this template for each of your VLANs/interfaces above to the nat/rule section
{ "nat": { "rule": { "1": { "description": "Redirect DNS requests", "destination": { "group": { "address-group": "!YOUR_GROUP_ID_FOR_DNS_SERVERS_HERE" }, "port": "53" }, "inbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1or eth1.90)", "inside-address": { "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)" }, "log": "enable", "protocol": "tcp_udp", "type": "destination" }, "5001": { "description": "Translate DNS to Internal", "destination": { "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)", "port": "53" }, "log": "disable", "outbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1 or eth1.90)", "protocol": "tcp_udp", "type": "masquerade" } } } } -
Validate the json using the tool of your choice
-
Go back to Unifi Controller web app
-
Go to the devices tab
-
Select your USG
-
Hit Settings on it
-
Scroll down and find "Force Provision"
-
Pray and Profit
-
Great way to verify this is to: 'dig @1.1.1.1 redis.siliconspirit.net' where the address I'm looking up doesn't exist in a public space (just my local DNS)
Last active
April 19, 2024 21:40
-
-
Save terafin/2ee5b231cb36712b0d2b7dd32941c2ab to your computer and use it in GitHub Desktop.
UniFi USG DNS Redirect Setup
Can a port group be used to capture anything thats not going out on port 53?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The NAT masquerade rule is unnecessary. To prevent redirecting your DNS server's requests to itself, you can simply add a
"source"rule for the subnet that the DNS server is present on (you also don't need an address group). Note that config.json doesn't accept comments, they're just here for explanation.