Captive DNS Using Vyos
Dealing with hardcoded DNS servers on home networks, like those found in smart TVs and Chromecast, presents a challenge for enforcing ad-blocking and tracking prevention. In this guide, we’ll solve this issue by configuring NAT rules on a Vyos router to redirect requests from devices that have hard-coded DNS servers to your own DNS server.
I use Blocky as my DNS server on my home network, but this should work with Pi-Hole and any other DNS server aswell.
In order to disable this, I setup a few NAT rules on my Vyos router to redirect any DNS queries to unknown DNS servers to my Blocky server.
Define Allowed DNS servers
Start by creating an address group containing the allowed DNS servers. This ensures that legitimate DNS queries are not redirected.
mhamzahkhan@homelab-gw:~$ configure
[edit]
set firewall group address-group dns-servers address '10.254.95.3'
set firewall group address-group dns-servers address '10.254.95.4'
Create Destination NAT Rule
Next, set up a destination NAT rule to redirect DNS queries not intended for the allowed DNS servers to the Blocky DNS server.
mhamzahkhan@homelab-gw:~$ configure
[edit]
set nat destination rule 5010 description 'Captive DNS'
set nat destination rule 5010 destination group address-group '!dns-servers'
set nat destination rule 5010 destination port '53'
set nat destination rule 5010 inbound-interface name 'bond1.90'
set nat destination rule 5010 protocol 'tcp_udp'
set nat destination rule 5010 translation address '10.254.95.4'
set nat destination rule 5010 translation port '53'
In this example, bond1.90 is my internal home network and 10.254.95.4 is my Blocky DNS server.