Results 1 to 3 of 3
  1. #1
    Join Date
    Aug 2016

    Default Force / Redirect all DNS queries to Untangle

    Good Evening,

    I am working through the final configuration of my home FW and want to enable or rather force/redirect ALL DNS queries to the Untangle FW. The reason is such that I have several IoT devices along with middle and high school supplied devices that I cannot change DNS entries and want to ensure they aren't going to any rogue servers per se. I have already blocked their ability to hit any other country but the US. DNS is the last piece of the puzzle

    Here is what I have so far and I believe it "should" work but looking for your expert say so on what else needs to be configured, etc.

    Port Forward:

    I would also like to be able to see that it is in fact working. In looking at the reports for port forwarded traffic, I don't see the laptop I am on currently that has DNS manually configured for being redirected to

    If I may ask, please upload screenshots as it makes like much easier. I am still trying to grasp the rules functions. It is so much different than the PaloAlto and Checkpoint firewalls that I had previously.

    Thanks again,

    Last edited by mfwade; 08-30-2020 at 07:49 PM.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    York, NE


    The DNS service in Untangle supports static entries. You can run a test to prove for yourself whether it's working by overriding the DNS A record normally returned for one domain with a static entry using the IP of another. For example, my system currently reports as having IP, and as having IP You can create a static entry for to instead return untangle's number.

    Now clear your laptop's DNS cache and try to visit the from your laptop (even just a ping would be enough). Make sure you're not using a browser with DNS over HTTPS turned on (Firefox does this by default now). What happens? After the test, remove the wrong A record.

    So what about DNS over HTTPS? Well, at the moment there's not much you can do about it. Cloudflare's DoH service runs on the same IP as their regular DNS service. I guess you could block port 443 traffic to all known DoH providers, but you can't automatically forward that traffic elsewhere in a way that will work (anyone who is set up to use DoH will just be broken, and again, it's the default now in some situations), and eventually some of them will also have important meaningful services running alongside the DoH, making outright blocks untenable.
    Last edited by jcoehoorn; 08-30-2020 at 08:45 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Central PA


    So many threads, so little time.

    There is an advanced option to log bypassed sessions, but I have also heard that this port forwarding may not be supported. YMMV.
    log blocked.png

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2