Smart devices like Chromecasts and TVs often use hardcoded DNS servers that bypass your custom DNS filters like Pi-hole or Blocky. In this guide, you’ll learn how to configure VyOS NAT rules to intercept and redirect all DNS requests to your preferred DNS server — even if the client tries to bypass it.
I use Blocky as my DNS server on my home network, but this should work with Pi-Hole and any other DNS server as well.
In order to disable this, I setup a few NAT rules on my Vyos router to redirect any DNS queries to unknown DNS servers to my Blocky server.
Step 1: Define Allowed DNS Servers Link to heading
Start by creating an address group containing the allowed DNS servers. This ensures that legitimate DNS queries are not redirected.
mhamzahkhan@homelab-gw:~$ configure
[edit]
set firewall group address-group dns-servers address '10.254.95.3'
set firewall group address-group dns-servers address '10.254.95.4'
Step 2: Redirect Unapproved DNS Requests with NAT Link to heading
Next, set up a destination NAT rule to redirect DNS queries not intended for the allowed DNS servers to the Blocky DNS server.
mhamzahkhan@homelab-gw:~$ configure
[edit]
set nat destination rule 5010 description 'Captive DNS'
set nat destination rule 5010 destination group address-group '!dns-servers'
set nat destination rule 5010 destination port '53'
set nat destination rule 5010 inbound-interface name 'bond1.90'
set nat destination rule 5010 protocol 'tcp_udp'
set nat destination rule 5010 translation address '10.254.95.4'
set nat destination rule 5010 translation port '53'
In this example, bond1.90 is my internal home network and 10.254.95.4 is my Blocky DNS server.