Ubiquiti EdgeRouter: How to Enforce Different DNS Servers per VLAN

This project explains how to enforce different DNS servers per VLAN on an Ubiquiti EdgeRouter. This technique is known as DNS Intercept to silently remap queries to unauthorized DNS servers for network policy compliance. Common situations are:

1. Parents want a family-safe DNS service for the children but less restrictive Internet access for the adults.
   Configuring a different DNS servers for each VLAN isn’t enough because a smart kid can override the default DNS settings by hard-coding the DNS server IP addresses on their PC, tablet or smartphone.
2. A business wants to restrict guest WiFi to block inappropriate web content.
3. Two or more small businesses in a multi-tenant office are served by the same EdgeRouter and each wants a different DNS service.

Configuring DNS servers per VLAN is simple. The challenge is preventing attempts to override the router DNS policies.

The Ubiquiti EdgeRouter DNS Security & Content Filtering – Block Ransomware, Botnets, Phishing and Inappropriate Content project shows how to configure a Destination NAT (DNAT) rule to silently remap rogue DNS queries to your preferred DNS provider. The problem is that DNAT rule applies to the entire LAN. New DNAT rules are needed to enforce different DNS servers per VLAN.

Table of Contents:

• Ubiquiti EdgeRouter Lite SOHO Network Design
• Ubiquiti EdgeRouter Lite SOHO Network Configuration
• EdgeRouter Lite SOHO Network Firewall Rules
• Ubiquiti EdgeRouter DNS Security & Content Filtering – Block Ransomware, Botnets, Phishing and Inappropriate Content
• Ubiquiti EdgeRouter: How to Enforce Different DNS Servers per VLAN (you are here)
• Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial 
• EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA
• EdgeRouter OpenVPN Server – Client Mode Configuration Steps
• OpenVPN iPhone Client Configuration Steps
• OpenVPN Windows 10 Client Configuration Steps

Ubiquiti EdgeRouter: How to Enforce Different DNS Servers per VLAN

The different DNS server per VLAN solution is accomplished by implementing Destination NAT (DNAT) rules per the following diagram:

My complete EdgeRouter network diagram is here.

The network administrator wishes to enforce the following DNS policies:

1. VLAN100 clients should use Quad9 DNS at 9.9.9.9 (primary) and 149.112.112.112 (alternate).
   Substitute your preferred DNS service provider. Quad9 is used in this example.
2. All other LAN & VLAN clients should use the EdgeRouter as the DNS server at 10.10.0.1.
   • The EdgeRouter forwards DNS requests to the resolvers defined in the “system name servers” at IP addresses aaa.bbb.ccc.ddd and eee.fff.ggg.hhh. I’m using a paid business-class DNS firewall service therefore the IP addresses are obfuscated.
3. Enforce the EdgeRouter DNS for all clients not on VLAN100.

Test Network Configuration

To test the DNS DNAT rules, my desktop PC and laptop are on separate LAN/VLANs with hard-coded DNS settings that are different from the EdgeRouter system name servers. The desktop and laptop represent rogue or misconfigured clients that are trying to get around the DNS policies configured by the network administrator.

Create VLAN100 with Quad9 DNS

I created a new VLAN100 – remember to also update your managed switch configuration – and pointed the DHCP clients to Quad9 DNS:

set interfaces ethernet eth1 vif 100 address 10.10.100.1/24
set interfaces ethernet eth1 vif 100 description 'Test VLAN for Quad 9 DNS'
set interfaces ethernet eth1 vif 100 mtu 1500

set service dhcp-server shared-network-name VLAN100_DNS_Test authoritative disable
set service dhcp-server shared-network-name VLAN100_DNS_Test subnet 10.10.100.0/24 default-router 10.10.100.1
set service dhcp-server shared-network-name VLAN100_DNS_Test subnet 10.10.100.0/24 dns-server 9.9.9.9
# The alternate Quad9 server can be specified, but will be overridden by DNAT Rule 100.
# set service dhcp-server shared-network-name VLAN100_DNS_Test subnet 10.10.100.0/24 dns-server 149.112.112.112
set service dhcp-server shared-network-name VLAN100_DNS_Test subnet 10.10.100.0/24 lease 86400
set service dhcp-server shared-network-name VLAN100_DNS_Test subnet 10.10.100.0/24 start 10.10.100.50 stop 10.10.100.99

# Do not forward DNS queries to the EdgeRouter.
# set service dns forwarding listen-on eth1.100

DNS forwarding to the EdgeRouter is not enabled per the commented-out line above because the EdgeRouter isn’t the DNS server for VLAN100.

Remember to “commit” to make the changes effective in the running config and “save” to persist after a router reboot.

DNS DNAT Rules per VLAN

Destination NAT (DNAT) rules are configured per VLAN in priority order, beginning with the most specific match conditions. DNAT rule processing stops when a rule is matched.

The following VLAN100 rule examines inbound traffic on interface eth1.100 to port 53. If the destination address is not Quad9, the address is replaced with 9.9.9.9. The ! is the Not operator, meaning the packet destination IP address doesn’t match “!9.9.9.9”. Rule #100 was chosen to match the VLAN ID:

set service nat rule 100 description 'Policy DNAT: Force VLAN100 DNS Requests to Quad9'
set service nat rule 100 destination address '!9.9.9.9'
set service nat rule 100 destination port 53
set service nat rule 100 inbound-interface eth1.100
set service nat rule 100 inside-address address 9.9.9.9
set service nat rule 100 log enable
set service nat rule 100 protocol tcp_udp
set service nat rule 100 type destination

A DNAT rule limitation is it only supports single destination address, therefore the Quad9 secondary IP address at 149.112.112.112 cannot be supported. Most DNS providers use Anycast networks so the reduction in reliability should be negligible.

All other LAN and VLAN clients should use the EdgeRouter as the DNS server at 10.10.0.1. This rule prevents rogue or misconfigured clients using an unauthorized DNS server. The range for NAT Rule numbers is 1…1024. Rule number 1024 was picked to put it last in the evaluation order leaving room for additional VLAN IDs/Rule numbers:

set service nat rule 1024 description 'Policy DNAT: Force all other LAN DNS Requests to Router'
set service nat rule 1024 destination address '!10.10.0.1'
set service nat rule 1024 destination port 53
set service nat rule 1024 inbound-interface eth1
set service nat rule 1024 inside-address address 10.10.0.1
set service nat rule 1024 log enable
set service nat rule 1024 protocol tcp_udp
set service nat rule 1024 type destination

The EdgeRouter system name servers should be configured for your default DNS provider. These commands are shown for completeness (use your real DNS provider IP addresses here):

set system name-server 52.nnn.zzzz.13
set system name-server 52.ppp.qqq.ttt

Aside: The following NAT masquerade rule should already be in your router configuration to translate LAN private IP addresses to the public WAN IP address:

set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade

Additional VLANs and DNS Providers

Suppose you want VLAN20 clients on eth1.20 to use OpenDNS. Specify OpenDNS in the dhcp-server statement:

set service dhcp-server shared-network-name VLAN20 subnet 10.10.20.0/24 dns-server 208.67.222.222

Then add the following DNAT rule:

set service nat rule 20 description 'Policy DNAT: Force VLAN20 DNS Requests to OpenDNS'
set service nat rule 20 destination address '!208.67.222.222'
set service nat rule 20 destination port 53
set service nat rule 20 inbound-interface eth1.20
set service nat rule 20 inside-address address 208.67.222.222
set service nat rule 20 log enable
set service nat rule 20 protocol tcp_udp
set service nat rule 20 type destination

Followed by Rules 100 and 1024 above. Remember to “commit” and “save”.

Once the DNAT rules are configured, log into the EdgeRouter CLI and run “show nat rules”:

ubnt@ubnt:~$ show nat rules

Type Codes: SRC - source, DST - destination, MASQ - masquerade
X at the front of rule implies rule is excluded

rule type intf translation
---- ---- ---- -----------
100 DST eth1.100 daddr !9.9.9.9 to 9.9.9.9
proto-tcp_udp dport 53

1024 DST eth1 daddr !10.10.0.1 to 10.10.0.1
proto-tcp_udp dport 53

5010 MASQ eth0 saddr ANY to 73.xxx.yyy.82
proto-all sport ANY

DNS DNAT Rule Testing

The DNAT rules are tested and verified by running various monitors and packet captures from the EdgeRouter Command Line Interface (CLI).

nat translations destination monitor

Recall that my desktop and laptop are configured as rogue DNS clients:

• Desktop PC on LAN1 (eth1) is hard-coded to OpenDNS.
• Laptop on VLAN100 (eth1.100) is hard-coded to Google DNS.

Verify the DNS DNAT rules are working by running “show nat translations destination monitor”. The monitor shows that VLAN100 DNS requests are forced to Quad9 at 9.9.9.9 and OpenDNS is forced to the EdgeRouter at 10.10.0.1 as expected:

ubnt@ubnt:~$ show nat translations destination monitor
Type control-C to quit
Pre-NAT Post-NAT Type Prot Timeout Type
8.8.8.8 9.9.9.9 dnat udp 30 new
8.8.4.4 9.9.9.9 dnat udp 30 new
8.8.4.4 9.9.9.9 dnat udp 29 update
8.8.8.8 9.9.9.9 dnat udp 29 update
...<snipped for brevity>...
8.8.4.4 9.9.9.9 dnat udp 29 update
8.8.4.4 9.9.9.9 dnat udp 29 update
208.67.222.222 10.10.0.1 dnat udp destroy
208.67.222.222 10.10.0.1 dnat udp destroy
208.67.222.222 10.10.0.1 dnat udp destroy
208.67.222.222 10.10.0.1 dnat udp 30 new
208.67.222.222 10.10.0.1 dnat udp 30 update
208.67.222.222 10.10.0.1 dnat udp 30 new
208.67.222.222 10.10.0.1 dnat udp 30 new
...<snipped for brevity>...
8.8.8.8 9.9.9.9 dnat udp 30 new
8.8.8.8 9.9.9.9 dnat udp 30 update
208.67.222.222 10.10.0.1 dnat udp destroy
208.67.222.222 10.10.0.1 dnat udp destroy
208.67.222.222 10.10.0.1 dnat udp destroy

Packet Captures

A packet capture on eth1.100 for VLAN100 indicates that DNAT Rule 100 to force requests to Quad9 isn’t working when browsing to newyorker.com on my laptop. The DNS queries appear to be going to Google DNS at 8.8.8.8 and 8.8.4.4 instead of Quad9:

ubnt@ubnt:~$ show interfaces ethernet eth1.100 capture port 53
Capturing traffic on eth1.100 port 53 ...
17:48:18.136776 IP 10.10.100.50.60953 > 8.8.8.8.53: 22795+ A? media.newyorker.com. (37)
17:48:18.262956 IP 10.10.100.50.60953 > 8.8.4.4.53: 22795+ A? media.newyorker.com. (37)
17:48:18.403822 IP 8.8.8.8.53 > 10.10.100.50.60953: 22795 2/0/0 CNAME condenast.map.fastly.net., A 151.101.56.239 (91)
17:48:18.456518 IP 8.8.4.4.53 > 10.10.100.50.60953: 22795 2/0/0 CNAME condenast.map.fastly.net., A 151.101.56.239 (91)
17:48:18.493500 IP 10.10.100.50.49787 > 8.8.8.8.53: 12404+ A? condenast.map.fastly.net. (42)
17:48:18.507220 IP 8.8.8.8.53 > 10.10.100.50.49787: 12404 1/0/0 A 151.101.204.239 (58)

What’s happening is the packet capture is performed before DNAT Rule 100 is triggered. A capture on the eth0 WAN Internet interface reveals the rules are working fine. The following WAN packet capture is a mix of traffic from my desktop (Rule 1024) and laptop (Rule 100) when browsing to nytimes.com:

• 73.xxx.yyy.82 is my eth0 WAN Internet IP Address
• 52.nnn.zzzz.13 is the default DNS provider configured in the EdgeRouter system name servers. This is enforced the for the desktop PC on LAN1 (eth1).
• 9.9.9.9 is Quad9 DNS enforced for the laptop on VLAN100 (eth1.100).

ubnt@ubnt:~$ show interfaces ethernet eth0 capture port 53
Capturing traffic on eth0 port 53 ...
18:04:08.880609 IP 73.xxx.yyy.82.38705 > 52.nnn.zzzz.13.53: 2436+ [1au] A? www.nytimes.com. (65)
18:04:08.881479 IP 73.xxx.yyy.82.54946 > 52.nnn.zzzz.13.53: 48869+ [1au] A? snu.webrootcloudav.com. (72)
18:04:08.903903 IP 52.nnn.zzzz.13.53 > 73.xxx.yyy.82.38705: 2436 2/0/1 CNAME nytimes.map.fastly.net., A 151.101.33.164 (96)
18:04:08.909582 IP 52.nnn.zzzz.13.53 > 73.xxx.yyy.82.54946: 48869 8/0/1 A 52.39.72.45, A 52.40.87.204, A 52.38.165.91, A 52.24.20.229, A 35.166.188.92, A 52.37.113.16, A 35.165.183.37, A 52.38.171.186 (179)
18:04:09.024820 IP 73.xxx.yyy.82.19841 > 52.nnn.zzzz.13.53: 29031+ [1au] AAAA? nytimes.map.fastly.net. (72)
18:04:09.025866 IP 73.xxx.yyy.82.19841 > 52.58.135.183.53: 29031+ [1au] AAAA? nytimes.map.fastly.net. (72)
18:04:09.048292 IP 52.nnn.zzzz.13.53 > 73.xxx.yyy.82.19841: 29031 0/1/1 (112)
18:04:09.061017 IP 73.xxx.yyy.82.50553 > 9.9.9.9.53: 62680+ A? nytimes.com. (29)
18:04:09.093942 IP 9.9.9.9.53 > 73.xxx.yyy.82.50553: 62680 4/0/0 A 151.101.65.164, A 151.101.193.164, A 151.101.1.164, A 151.101.129.164 (93)
18:04:09.148770 IP 73.xxx.yyy.82.47360 > 52.nnn.zzzz.13.53: 27638+ [1au] A? g1.nyt.com. (60)
18:04:09.149409 IP 73.xxx.yyy.82.33294 > 52.nnn.zzzz.13.53: 38115+ [1au] A? typeface.nyt.com. (66)
18:04:09.150335 IP 73.xxx.yyy.82.50406 > 9.9.9.9.53: 17829+ A? nytimes.com. (29)
18:04:09.161311 IP 9.9.9.9.53 > 73.xxx.yyy.82.50406: 17829 4/0/0 A 151.101.65.164, A 151.101.193.164, A 151.101.1.164, A 151.101.129.164 (93)
18:04:09.181050 IP 52.nnn.zzzz.13.53 > 73.xxx.yyy.82.33294: 38115 2/0/1 CNAME nytimes.map.fastly.net., A 151.101.33.164 (97)
18:04:09.181211 IP 52.nnn.zzzz.13.53 > 73.xxx.yyy.82.47360: 27638 2/0/1 CNAME nytimes.map.fastly.net., A 151.101.33.164 (91)
18:04:09.203111 IP 73.xxx.yyy.82.27274 > 52.nnn.zzzz.13.53: 1791+ [1au] A? int.nyt.com. (61)
18:04:09.212102 IP 73.xxx.yyy.82.55755 > 9.9.9.9.53: 54321+ A? www.nytimes.com. (33)
18:04:09.218737 IP 73.xxx.yyy.82.55425 > 9.9.9.9.53: 16399+ AAAA? nytimes.com. (29)
18:04:09.221969 IP 9.9.9.9.53 > 73.xxx.yyy.82.55755: 54321 2/0/0 CNAME nytimes.map.fastl

DNAT rule log records:

ubnt@ubnt:~$ tail -n100 /var/log/messages
...etc...
Mar 17 18:04:11 ubnt kernel: [NAT-100-DNAT] IN=eth1.100 OUT= MAC=dc:..snip!..:3a SRC=10.10.100.50 DST=8.8.4.4 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=27690 PROTO=UDP SPT=50248 DPT=53 LEN=38
Mar 17 18:04:11 ubnt kernel: [NAT-1024-DNAT] IN=eth1 OUT= MAC=dc:..snip!..:00 SRC=10.10.0.11 DST=208.67.222.222 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=29736 PROTO=UDP SPT=54075 DPT=53 LEN=76
...etc...

The DNAT rules have fired 290 and 420 times:

ubnt@ubnt:~$ show nat statistics
rule  count   type  IN        OUT       description
----  ------  ----  --------  --------  -----------
100   290     DST   eth1.100  -         Policy DNAT: Force VLAN100 DNS Requests to Quad9
1024  420     DST   eth1      -         Policy DNAT: Force all other LAN DNS Requests to Router
5010  5573    MASQ  -         eth0      masquerade for WAN

IPTABLES Alternative Approach

I tried using Netfilter iptables to force DNS requests per VLAN:

sudo iptables -t nat -A PREROUTING -p tcp -i eth1.100 -s 10.10.100.0/24 --dport 53 -j DNAT --to-destination 9.9.9.9:53
sudo iptables -t nat -A PREROUTING -p udp -i eth1.100 -s 10.10.100.0/24 --dport 53 -j DNAT --to-destination 9.9.9.9:53

But this causes problems:

• It’s not compatible with dnsmasq.
  dnsmasq has to be disabled for the rule to work.
• iptable commands are not displayed in the router configuration (“show configuration” or “show configuration commands”) so its hidden unless you dig deeper.
• iptables commands have to be scripted to survive router reboots.
• It’s tricky to get the commands in the correct precedence order and tends to interfere with internal EdgeRouter NAT rules.

DNAT rules are the preferred approach because it interacts well with the router, are part of the router configuration command set and survives reboots.

Thanks,

Bob