Skip to content

Instantly share code, notes, and snippets.

@jschwalbe

jschwalbe/UniFi USG DNS Redirect Setup.md

Forked from terafin/UniFi USG DNS Redirect Setup.md
Created June 21, 2021 15:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jschwalbe/2b9c03d725a7b8b1de353241b39b76fe to your computer and use it in GitHub Desktop.
Save jschwalbe/2b9c03d725a7b8b1de353241b39b76fe to your computer and use it in GitHub Desktop.
Download ZIP
UniFi USG DNS Redirect Setup
Raw
UniFi USG DNS Redirect Setup.md

  1. Log into unifi controller web UI

  2. Go to Settings

  3. Select Routing & Firewall

  4. Select Firewall

  5. Select Groups

  6. Hit "Create new Group"

  7. Enter all your DNS servers here you want to be allowed on the local LAN (Eg, mine is 10.0.1.1 - gateway, 10.0.1.14 - pi-hole)

  8. Name this "Allowed DNS Servers"

  9. Hit OK

  10. SSH into the Gateway - NOT the CloudKey (username/password is whatever you set up)

  11. do this: 'mca-ctrl -t dump-cfg > config.txt'

  12. edit the new file, config.txt 'vi config.txt'

  13. Look for something that has the description field: "description": "customized-Allowed DNS Servers"

  14. Write down/copy aside the key associated that (mine is: 5d50c3764fd01c0ad01a6938) This is the Group ID for your group

  15. Now you need your 'interfaces' - meaning all your vlans and such.

  16. The way to find out your interfaces is ssh into the gateway and issue: show interfaces Output is:

    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         XX.X.XXX.XXX/22                   u/u  WAN                         
eth1         10.0.1.1/24                       u/u  LAN                         
eth1.2       10.0.2.1/24                       u/u                              
eth1.80      10.0.80.1/24                      u/u                              
eth1.90      10.0.90.1/24                      u/u                              
eth1.100     10.0.100.1/24                     u/u                              
eth2         -                                 A/D                              
eth3         -                                 A/D                              
eth4         -                                 A/D                              
eth5         -                                 u/D                              
eth6         -                                 u/D                              
eth7         -                                 u/D                              
eth8         -                                 u/D                              
lo           127.0.0.1/8                       u/u                              
             ::1/128

  17. Note down all the eth1, eth1.2, - eth1.100 for each active VLAN you care about doing this too (all?)

  18. Either open up your config.json on the CloudKey or learn how to edit/make one here: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration

  19. Copy this template for each of your VLANs/interfaces above to the nat/rule section

    {
  "nat": {
    "rule": {
      "1": {
        "description": "Redirect DNS requests",
        "destination": {
          "group": {
            "address-group": "!YOUR_GROUP_ID_FOR_DNS_SERVERS_HERE"
          },
          "port": "53"
        },
        "inbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1or eth1.90)",
        "inside-address": {
          "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)"
        },
        "log": "enable",
        "protocol": "tcp_udp",
        "type": "destination"
      },
      "5001": {
        "description": "Translate DNS to Internal",
        "destination": {
          "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)",
          "port": "53"
        },
        "log": "disable",
        "outbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1 or eth1.90)",
        "protocol": "tcp_udp",
        "type": "masquerade"
      }
    }
  }
}

  20. Validate the json using the tool of your choice

  21. Go back to Unifi Controller web app

  22. Go to the devices tab

  23. Select your USG

  24. Hit Settings on it

  25. Scroll down and find "Force Provision"

  26. Pray and Profit

  27. Great way to verify this is to: 'dig @1.1.1.1 redis.siliconspirit.net' where the address I'm looking up doesn't exist in a public space (just my local DNS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment