Firewall redirect DNS traffic to internal DNS servers

With the arrival of IoT (Internet of Things) we are introducing unknown hardware and software to our networks. Many obey the rules we submit them to (custom IP addresses, limited Internet access, specific DNS Servers etc). But there are also devices that use DNS, but have DNS servers hardcoded. Blocking these IP addresses may result in sketchy behavior.

I place all of those devices in a separate VLAN where they have limited connectivity, and where I block outgoing DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) and direct DNS access to the Internet. Everything is supposed to use my internal DNS services. For those devices that have DNS servers hardcoded I created some special NAT and firewall rules to force them to use my internal DNS services.

Public DMZ Access From Within The Network

This post basically describes the technique of how to deal with traffic originating from the inside of a firewall, and directing the traffic over the external interface IP address to a different internal zone.

First a network overview of the things used in this setup.

AVN Fritzbox and the 'Exposed Host' Setting

The Fritzbox 7340 is the only real available VDSL modem/router in the Netherlands. Too bad, since it has some bugs (but what piece of software hasn't???). Fortunately, the router works well, just as long as you use it as the only networking device in your (small) network.

In the last couple of days I've been busy to add the Juniper SRX100 branch firewall to my local home network. The idea was the following:

The Fritzbox (FB) will remain the Internet router
My web/mail/ssh server is placed behind the SRX100
All the individual portforward rules in the Fritzbox are directed to the SRX100 by selecting the 'Exposed Host' in the FB.

Firewall redirect DNS traffic to internal DNS servers

Public DMZ Access From Within The Network

AVN Fritzbox and the 'Exposed Host' Setting

Powered by Squarespace