With the arrival of IoT (Internet of Things) we are introducing unknown hardware and software to our networks. Many obey the rules we submit them to (custom IP addresses, limited Internet access, specific DNS Servers etc). But there are also devices that use DNS, but have DNS servers hardcoded. Blocking these IP addresses may result in sketchy behavior.
I place all of those devices in a separate VLAN where they have limited connectivity, and where I block outgoing DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) and direct DNS access to the Internet. Everything is supposed to use my internal DNS services. For those devices that have DNS servers hardcoded I created some special NAT and firewall rules to force them to use my internal DNS services.
The setup is easy. First you create a NAT Port Forward rule where you set the destination IP/networks to everything which falls outside the private IP ranges (!RFC1918) and where the destination port is 53 (TCP and UDP). This traffic is redirected to your internal DNS service(s). And attach this NAT rule to your interfaces. In my case the internal DNS runs on the firewall as well. So therefor I have the 127.0.0.1 address specified as the destination (as seen from the firewall itself).
Captive DNS NAT rule
Attaching it to the Interfaces (in my case Management) also creates the floating rule for this.
Opnsense Floating Rules with the Captive DNS rule
The following command should not be visible in your own DNS logs since the command is directly directed to the Google DNS.
% dig @8.8.8.8 www.jbvdsdghjytrfcvbnjuytfghytrfgbnjngbf.com ; <<>> DiG 9.10.6 <<>> @8.8.8.8 www.jbvdsdghjytrfcvbnjuytfghytrfgbnjngbf.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59767 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;www.jbvdsdghjytrfcvbnjuytfghytrfgbnjngbf.com. IN A ;; AUTHORITY SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1743173407 1800 900 604800 900 ;; Query time: 17 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Mar 28 15:50:38 CET 2025 ;; MSG SIZE rcvd: 146
Checking the Unbound logs show something else though.
Logfile evidence that the query didn’t go to Google DNS
This way you have complete control over the queries of your Aliexpress IoT devices. You can see what they are up to, and via overrides in Unbound you can even modify the results.
Note that is feature is not unique to Opnsense and/or Unbound. This can be achieved with any firewall that can handle NAT Port Forwarding.