Skip to content

Instantly share code, notes, and snippets.

@terafin
Last active April 19, 2024 21:40
Show Gist options
  • Save terafin/2ee5b231cb36712b0d2b7dd32941c2ab to your computer and use it in GitHub Desktop.
Save terafin/2ee5b231cb36712b0d2b7dd32941c2ab to your computer and use it in GitHub Desktop.
UniFi USG DNS Redirect Setup
  1. Log into unifi controller web UI

  2. Go to Settings

  3. Select Routing & Firewall

  4. Select Firewall

  5. Select Groups

  6. Hit "Create new Group"

  7. Enter all your DNS servers here you want to be allowed on the local LAN (Eg, mine is 10.0.1.1 - gateway, 10.0.1.14 - pi-hole)

  8. Name this "Allowed DNS Servers"

  9. Hit OK

  10. SSH into the Gateway - NOT the CloudKey (username/password is whatever you set up)

  11. do this: 'mca-ctrl -t dump-cfg > config.txt'

  12. edit the new file, config.txt 'vi config.txt'

  13. Look for something that has the description field: "description": "customized-Allowed DNS Servers"

  14. Write down/copy aside the key associated that (mine is: 5d50c3764fd01c0ad01a6938) This is the Group ID for your group

  15. Now you need your 'interfaces' - meaning all your vlans and such.

  16. The way to find out your interfaces is ssh into the gateway and issue: show interfaces Output is:

    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
    Interface    IP Address                        S/L  Description                 
    ---------    ----------                        ---  -----------                 
    eth0         XX.X.XXX.XXX/22                   u/u  WAN                         
    eth1         10.0.1.1/24                       u/u  LAN                         
    eth1.2       10.0.2.1/24                       u/u                              
    eth1.80      10.0.80.1/24                      u/u                              
    eth1.90      10.0.90.1/24                      u/u                              
    eth1.100     10.0.100.1/24                     u/u                              
    eth2         -                                 A/D                              
    eth3         -                                 A/D                              
    eth4         -                                 A/D                              
    eth5         -                                 u/D                              
    eth6         -                                 u/D                              
    eth7         -                                 u/D                              
    eth8         -                                 u/D                              
    lo           127.0.0.1/8                       u/u                              
                 ::1/128                          
    
  17. Note down all the eth1, eth1.2, - eth1.100 for each active VLAN you care about doing this too (all?)

  18. Either open up your config.json on the CloudKey or learn how to edit/make one here: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration

  19. Copy this template for each of your VLANs/interfaces above to the nat/rule section

    {
      "nat": {
        "rule": {
          "1": {
            "description": "Redirect DNS requests",
            "destination": {
              "group": {
                "address-group": "!YOUR_GROUP_ID_FOR_DNS_SERVERS_HERE"
              },
              "port": "53"
            },
            "inbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1or eth1.90)",
            "inside-address": {
              "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)"
            },
            "log": "enable",
            "protocol": "tcp_udp",
            "type": "destination"
          },
          "5001": {
            "description": "Translate DNS to Internal",
            "destination": {
              "address": "YOUR_IP_FOR_DNS_SERVER_HERE (eg: 10.0.1.14)",
              "port": "53"
            },
            "log": "disable",
            "outbound-interface": "YOUR_UNIX_INTERFACE_HERE (eg: eth1 or eth1.90)",
            "protocol": "tcp_udp",
            "type": "masquerade"
          }
        }
      }
    }
    
  20. Validate the json using the tool of your choice

  21. Go back to Unifi Controller web app

  22. Go to the devices tab

  23. Select your USG

  24. Hit Settings on it

  25. Scroll down and find "Force Provision"

  26. Pray and Profit

  27. Great way to verify this is to: 'dig @1.1.1.1 redis.siliconspirit.net' where the address I'm looking up doesn't exist in a public space (just my local DNS)

@korkmazk
Copy link

What might help: go to pihole settings > DNS > interface settings and check Permit all origins option.
Make sure your read the warning!

@udf
Copy link

udf commented Oct 18, 2022

The NAT masquerade rule is unnecessary. To prevent redirecting your DNS server's requests to itself, you can simply add a "source" rule for the subnet that the DNS server is present on (you also don't need an address group). Note that config.json doesn't accept comments, they're just here for explanation.

{
  "service": {
    "nat": {
      "rule": {
        "1": {
          "description": "Redirect DNS requests",
          "destination": {
            "port": "53"
          },
          "source": {
            // Don't send DNS traffic back to the server
            "address": "!YOUR_IP_FOR_DNS_SERVER_HERE/32"
          },
          "inbound-interface": "eth1",
          "inside-address": {
            "address": "YOUR_IP_FOR_DNS_SERVER_HERE",
            "port": "53"
          },
          "log": "enable",
          "protocol": "tcp_udp",
          "type": "destination"
        },
        // Other subnets do not need the source rule
        "2": {
          "description": "Redirect DNS requests",
          "destination": {
            "port": "53"
          },
          "inbound-interface": "eth1.2",
          "inside-address": {
            "address": "YOUR_IP_FOR_DNS_SERVER_HERE",
            "port": "53"
          },
          "log": "enable",
          "protocol": "tcp_udp",
          "type": "destination"
        }
      }
    }
  }
}

@numbermonkey
Copy link

Can a port group be used to capture anything thats not going out on port 53?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment