Restricting DNS in pfSense

There are valid reasons for wanting to override DNS on your network. Maybe you’re in a corporate environment and you want to prevent people from using outside DNS which would render AD useless. Maybe you’re in a school and you want to make sure students are filtered appropriately. Or maybe at home, you just want to make sure your IoT devices and guests can’t access malware sites.

NAT – it’s more than just extending IPv4

From the headline, you guessed it. We’re going to be using NAT and port forwarding here.

Note: you should have VLANs setup unless you want all your traffic going to a specified DNS server.

Go to Firewall > NAT > Port Forwarding in pfSense. Click on add. Set the Interface to the VLAN you want to force NAT on. Select your address family. Select TCP/UDP on Protocol. For destination, make sure you select Any! Destination port range is DNS. Redirect target IP is the IP address of your DNS server. Whether this is PiHole, Windows, BIND, Cloudflare DNS, OpenDNS, whatever, it doesn’t matter. Redirect port should also be DNS. NAT reflection should be disable.

When you’re done, your rule should look like this:

Click Save and you’re good to go!

So let’s say your “smart” TV serves ads but has a hard coded IP address. You want to block these ads with PiHole. Put your TV on a IoT VLAN and implement the above rule. Your TV will then hit your PiHole for DNS. No more ads!

In a corporate environment, instead of PiHole, it would probably be your Active Directory DNS server. If someone tries to change their DNS to, they’ll still hit your AD server.

Leave a Comment

Your email address will not be published. Required fields are marked *