On 2018-09-23, Edgar Pettijohn <[email protected]> wrote: > > On Sep 22, 2018 11:21 PM, Fung <[email protected]> wrote: >> >> simple router build with OpenBSD >> Wan a.b.c.d >> Lan 192.168.0.1/24 >> Unbound run for DNS cache in 127.0.0.1 >> >> >> we want: >> no mater a client pc set dns to any address ( 8.8.8.8 or 9.9.9.9 ) >> all clients' dns query are redirect to the localhost cache in the router >> >> >> Can we achieve using pf.conf? >> how? test no work with rdr-to or divert-to >> >> ----- >> pf.conf >> >> match out on egress inet from !(egress:network) to any nat-to (egress:0) >> pass in quick proto udp from any to any port 53 rdr-to 127.0.0.1 port 53 >> pass >> > > DNS can go tcp also.
That should be enough to hijack things for the more common UDP side of things though. And hijacking DNS like this is going to break some things anyway (some programs want to contact authoritative DNS servers directly, they don't expect or want a recursive resolver, which behaves differently).
