Port Forward to two hosts?

[mrclark]

I've got two internal DNS servers (piholes) that I'm using. Lets say they're 192.168.0.5 and 192.168.0.6 I've created firewall rules to only allow DNS queries out to the internet from these two and created a port forward rule to forward to one of the piholes any requests out to port 53.

Firewall rules:
Destination port IS 53
Protocol is UDP, TCP
Source Address is 192.168.0.5
Action: Pass

Created a duplicate of the rule above for 192.168.0.6

Next rule is to block DNS queries from my network from hitting the internet:

Destination Port IS 53
Protocol is UDP, TCP
Destination is Any WAN
Action: Block

Then I have a port forward rule:
Protocol is UDP,TCP
Destination Port 53
Destination Address is NOT 192.168.0.5
Source Address is NOT 192.168.0.5
Source Interface is: (I have two internal interfaces) Internal and WIFI
New Destination 192.168.0.5
New Port 53

The problem is now that I have a single point of failure if 192.168.0.5 goes down. DNS won't work.

Is there any way to port forward round robin style? I don't think there is.

I've tried various combinations on the rules with no luck.

Or is there a better way to do this?

[jcoffin]

- Delete the port forward rule.
- Change the WAN DNS settings to your DNS servers.

[mrclark]

Thanks. I didn't know I could do that for the WAN interface.

That made the rules simpler but it doesn't accomplish what I'm trying to do. I'm trying to stop internal machines from getting out to the internet for DNS queries. For example, I have a LG TV and some of the apps are hard coded to use googles DNS at 8.8.8.8. If I make this change then those apps won't work.

[sky-knight]

The "round robin" is defined by the DHCP servers you pass out to your clients via DHCP.

The port forward rule is irrelevant,and honestly dangerous. You just asked Untangle to grab UDP 53 requests leaving the network and redirect them to an internal server that is going to then make a UDP 53 request to the Internet!

Have you seen what happens when a computer becomes a dog chasing its own tail? Not good!

If you want to enforce pihole use, just make a firewall rule for anything destined to port 53 and set it to block. Then make two pass rules above it for your piholes.

Junk that's hard coded will break, port forwarding is your only recourse, and no you cannot have multiple targets with a port forward.

[mrclark]

Thanks sky-night. Thats what I thought. I'm trying to keep the hard coded devices working but I still want to control their DNS.

I was thinking more about it and if there's only one or two systems doing the hard coded DNS then I could always create a forward rule from their IPs to port 53 to go to one of the piholes. Then if that pihole is down only those one or two systems would be down.

Hmmmmm.......

[sky-knight]

Yep, that'll work! But, the devices in question might just work with Google DNS blocked too.

I have a general 53 block in place here, and my Google devices, FireTV, and Roku devices have all just worked. I do get block events from them in the firewall, but I've noticed no functionality loss.

They are supposed to use the DNS servers passed by the DHCP server darn it! Standards mean stuff!

[mrclark]

I didn't put the port forward rule in but my LGTV. I also see blocks to 8.8.8.8 port 53 over and over but the apps on the LG are still working. I guess I'll leave it for now. Thanks guys for the quick responses.