What's new
Carbonite

South Africa's Top Online Tech Classifieds!
Register a free account today to become a member! (No Under 18's)
Home of C.U.D.

Unifi DNS redirection

mikewazar

ENDGAME.CO.ZA
Reseller
VIP Supporter
Rating - 100%
216   0   1
Joined
Nov 26, 2012
Messages
3,962
Reaction score
2,352
Points
10,385
Age
25
Location
Cape Town
DNS is a messy thing and I've found multiple clients on my network with hardcoded DNS which makes DNS level adblocking, malware blocking and content unlocking very difficult. Samsung TVs and Android phones are among the worst offenders I have seen. I run two PiHole instances which I use for all my networked devices, and this is a guide to redirect these hardcoded DNS requests to my servers instead. This happens completely transparently to the client retaining any and all DNS-based functions without the crap.

I am using USG with a hosted Unifi controller on the same machine that runs my DNS server, running Debian 10:

Code:
cd  /usr/lib/unifi/data/sites/[your controller site ID]
nano config.gateway.jason

Code:
{
    "service": {
        "nat": {
            "rule": {
                "1": {
                    "description": "Redirect DNS requests",
                    "destination": {
                        "port": "53"
                    },
                    "inbound-interface": "eth1",
                    "inside-address": {
                        "address": "197.81.132.171",
                        "port": "53"
                    },
                    "source": {
                        "address": "!197.81.132.171"
                    },
                    "log": "disable",
                    "protocol": "tcp_udp",
                    "type": "destination"
                },
                "6000": {
                    "description": "MASQ DNS requests to LAN",
                    "destination": {
                        "address": "197.81.132.171",
                        "port": "53"
                    },
                    "log": "disable",
                    "outbound-interface": "eth1",
                    "protocol": "tcp_udp",
                    "type": "masquerade"
                }
            }
        }
    }
}

Code:
chown unifi:unifi config.gateway.json

Then force provision your USG via the controller.

Sources:
 
Last edited:
On your USG, if you reboot it does the JSON file need to be redone? Could you not set something like:

If DNS does not = X, then use X ? Probably can be done in the gui, but I'm not sure. Why 2x Pi's? Is one on a logically separate network?>
 
On your USG, if you reboot it does the JSON file need to be redone? Could you not set something like:

If DNS does not = X, then use X ? Probably can be done in the gui, but I'm not sure. Why 2x Pi's? Is one on a logically separate network?>

It's persistent and I don't know if it can be done via GUI. I run two, one hosted at IS JHB and the other in UK. Another use case I setup for a client was one hosted on a seperate VLAN, if you need some sort of isolation.
 
To the idiot that launched attacks against my servers please expect a call from your ISP. I've sent through a very detailed response report including your home IP because you were dumb enough to constantly F5 spam to check if it went down. News to you, it didn't and I captured your details.
 
Naturally you'll want to measure your DNS performance to prevent slow resolution, and since Namebench will be unable to contact other DNS providers if you're transparently intercepting and redirecting them to Pi-Hole I recommend not bothering with it. All the graphs will look identical. To have a quick check if you're ever in doubt of whether your DNS is slow or your ISP is just trash, and you're running Windows:

powershell "Measure-Command { nslookup <example.com> }"

PS C:\Users\mikewazar> powershell "Measure-Command { nslookup shop.wazar.co.za }"
Non-authoritative answer:


Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 38
Ticks : 389820
TotalDays : 4.51180555555556E-07
TotalHours : 1.08283333333333E-05
TotalMinutes : 0.0006497
TotalSeconds : 0.038982
TotalMilliseconds : 38.982

This is the measure of the total time taken to resolve a domain, which is more useful than pinging the DNS server since DNS packets are not treated the same as ICMP, and thus better reflects the performance you'll experience in real-world use.

If your time taken is high, please run a traceroute to the DNS server to identify the route and bad hop, and from there you can A/B test to check whether the DNS server is just slow, or whether your ISP hired a new network intern that broke routing to Teraco JHB (again).

I hope this helps anyone out there trying to optimise their internet experience and doesn't mind some tinkering to get it perfect.
 
A small detail I noticed, when PiHole is set with multiple upstream resolvers, it favours the one with the lowest latency. Testing this on my home network I found:

v81INwy.png


This is interesting because it means while I have the redundancy of multiple upstreams I also benefit from the quickest resolver. I plan to now install unbound and run my own resolver (unbound) which queries the root name servers directly, further removing changes of downtime due to DNS.

The public servers I currently run for DNS are:

ZA - dns1.wazar.org - 197.81.132.171
UK - dns2.wazar.org - 103.219.22.53

To prevent abuse, I have locked down the resolvers to only respond to networks within ZA, if you'd like to use the resolvers on networks outside of ZA, please PM me the IP range and I will whitelist them.
 
Last edited:
The public servers I currently run for DNS are:

ZA - dns1.wazar.org - 197.81.132.171
UK - dns2.wazar.org - 103.219.22.53

To prevent abuse, I have locked down the resolvers to only respond to networks within ZA, if you'd like to use the resolvers on networks outside of ZA, please PM me the IP range and I will whitelist them.

Been secretly using this for a while and it works fantastic!
Don't want to start a new thread so I'll hijack this, if you're using mobile data on an Huawei router and want to stop wasting data on ads.
Add a new profile, the default APN is normally "internet".
The DNS server fields are hidden on the form,
Right click => Inspect (Ctrl + Shift + I) => Find (Ctrl + F) => "DNS"


2k88dfE.gif
 
Last edited:
dns1.wazar.org going down for maintenance from 8pm tonight to resolve issues with the firewall.
 
Planned IP changed:

dns2.wazar.org will change from 103.219.22.53 to 65.21.93.169 in November
 
65.21.93.169 is now up and running, and will eventually replace 103.219.22.53 in November, if you're using it, I would suggest updating your IPs now.
 
A small detail I noticed, when PiHole is set with multiple upstream resolvers, it favours the one with the lowest latency. Testing this on my home network I found:

v81INwy.png


This is interesting because it means while I have the redundancy of multiple upstreams I also benefit from the quickest resolver. I plan to now install unbound and run my own resolver (unbound) which queries the root name servers directly, further removing changes of downtime due to DNS.

The public servers I currently run for DNS are:

ZA - dns1.wazar.org - 197.81.132.171
UK - dns2.wazar.org - 103.219.22.53

To prevent abuse, I have locked down the resolvers to only respond to networks within ZA, if you'd like to use the resolvers on networks outside of ZA, please PM me the IP range and I will whitelist them.

Bumping this
 
65.21.93.169 is now up and running, and will eventually replace 103.219.22.53 in November, if you're using it, I would suggest updating your IPs now.

103.219.22.53 will cease end of month
 

Users who are viewing this thread

Back
Top Bottom