# Redirecting Client DNS Requests

# Redirecting Client DNS Requests

**Before you begin: Network level DNS must be set to use the pFsense firewall or DNS queries will fail. Attempting to redirect all DNS queries to your own DNS server, only to try and then send them off to Google or Cloudflared will fail.**

To restrict client DNS to only the DNS Resolver or Forwarder on pfSense® software, use a port forward to capture all client DNS requests.

Note

Either The DNS Resolver or DNS Forwarder must be active and it must bind to and answer queries on *Localhost*, or *All* interfaces.

See also

<div class="admonition seealso" id="bkmrk-blocking-external-cl">- [<span class="std std-ref">Blocking External Client DNS Queries</span>](https://docs.coltscomputer.services/books/networking/page/blocking-external-client-dns-queries "Blocking External Client DNS Queries")
- [<span class="std std-ref">Blocking Web Sites Using DNS</span>](https://docs.coltscomputer.services/books/networking/page/blocking-web-sites "Blocking Web Sites")

</div>The following example uses the LAN interface but the same technique will work with any local interface.

- Navigate to **Firewall &gt; NAT**, **Port Forward** tab
- Click ![fa-level-up](https://docs.netgate.com/pfsense/en/latest/_images/fa-level-up.png) **Add** to create a new rule
- Fill in the following fields on the port forward rule:
    
    <dl class="field-list simple"><dt class="field-odd">Interface</dt><dd class="field-odd">*LAN*
    
    </dd><dt class="field-even">Protocol</dt><dd class="field-even">*TCP/UDP*
    
    </dd><dt class="field-odd">Destination</dt><dd class="field-odd">**Invert Match** *checked*, *LAN Address*
    
    </dd><dt class="field-even">Destination Port Range</dt><dd class="field-even">*DNS (53)*
    
    </dd><dt class="field-odd">Redirect Target IP</dt><dd class="field-odd">`<span class="pre">127.0.0.1</span>`
    
    </dd><dt class="field-even">Redirect Target Port</dt><dd class="field-even">*DNS (53)*
    
    </dd><dt class="field-odd">Description</dt><dd class="field-odd">`<span class="pre">Redirect</span> <span class="pre">DNS</span>`
    
    </dd><dt class="field-even">NAT Reflection</dt><dd class="field-even">*Disable*
    
    </dd></dl>

When complete, the port forward must appear as follows:

![../_images/redirect_dns_port_forward.png](https://docs.netgate.com/pfsense/en/latest/_images/redirect_dns_port_forward.png)

Note

If DNS requests to other DNS servers are blocked, such as by following [<span class="doc">Blocking External Client DNS Queries</span>](https://docs.coltscomputer.services/books/networking/page/blocking-external-client-dns-queries "Blocking External Client DNS Queries"), ensure the rule to pass DNS to `<span class="pre">127.0.0.1</span>` is above any rule that blocks DNS.

With this port forward in place, DNS requests from local clients to **any** external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible.

Tip

This can be adapted to allow access to only a specific set of DNS servers by changing the Destination network from “LAN Address” to an alias containing the allowed DNS servers. The **Invert match** box should remain checked.

Warning

Clients using DNS over TLS or DNS over HTTPS could circumvent this protection. Redirecting or blocking port `<span class="pre">853</span>` may help with DNS over TLS, depending on the clients.

See [<span class="doc">Blocking External Client DNS Queries</span>](https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html) for additional advice.