On Wed, Jan 12, 2022 at 07:19:07PM -0500, Brian J. Murrell wrote: > Looks like Google has upped the ante with Chromecasts and it's no > longer sufficient to just block external DNS queries and expect the > Chromecast devices to fall-back to the DHCP supplied local DNS > resolvers. > > Looks like we are going to have to up the game to redirecting DNS > requests to the internal server and forging the responses as being from > the external server the queries were directed at. > > So I have added a rules entry: > > DNS/DNAT loc:!10.75.22.247 $INT_DNS > > where 10.75.22.247 is the internal DNS server. > > That seems to result in local queries that were going to say, 8.8.8.8 > being redirected to the internal server. But the problem is that the > replies are coming back from the internal server's address and being > rejected by the originator. The replies need to forge the request > destination address.
You need to make sure the reply is coming by way of the shorewall system. Which can then apply SNAT rules. https://shorewall.org/FAQ.htm#faq1f -- Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
