Prevent Circumvention of DNS

Murus
Post Reply
kc0mmy
Posts: 9
Joined: Tue Dec 22, 2015 1:13 am

Prevent Circumvention of DNS

Post by kc0mmy » Wed Dec 23, 2015 4:06 pm

Greetings,

This should be a fairly simple thing to do but I want to know if someone else has tried it and if they've been successful at getting it to work.

I use OpenDNS and DO NOT want people on the network to be able to change their DNS settings to bypass my OpenDNS settings. If they DO change it, I want the firewall to block the request. So, for instance, if they change their DNS settings to Google's DNS servers, I want the firewall to block the DNS request.

I would imagine all I have to do is create custom rules but my fear is that the rule banning all other requests would override the rule allowing OpenDNS requests.

-Andre

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: Prevent Circumvention of DNS

Post by hany » Sun Dec 27, 2015 12:17 pm

I would imagine all I have to do is create custom rules but my fear is that the rule banning all other requests would override the rule allowing OpenDNS requests.
Just put the rule allowing OpenDNS requests AFTER the rule blocking ALL Dns requests :)
Remember: the last matching rule is the one that wins.
So, ideally, you have two custom rules:

1) block out from any to any port 53 (this rule blocks ALL outbound dns queries)
2) pass out from any to OpenDNS port 53 (this rule overrides the previous one, allowing only queries to OpenDNS ip)

You can put the "quick" option on second rule to be more explicit but it's not necessary. However you must avoid using the "quick" option on the first rule, or your dns connections will be totally blocked.
I hope it helped, let me know if it worked!

kc0mmy
Posts: 9
Joined: Tue Dec 22, 2015 1:13 am

Re: Prevent Circumvention of DNS

Post by kc0mmy » Sun Dec 27, 2015 10:43 pm

Gotcha! I guess I just keep second-guessing myself. This makes sense. Not sure if it works yet. I'm going to enable NAT tonight to see if everything works as it should. I've been reading the NAT troubleshooting thread. :)

Thanks again for your help!

-Andre

Post Reply