DNS Redirector
 Return to FAQ List


FAQ 34: Prevent the use of other DNS servers

Category: Initial setup | Updated: 02/02/2013 10:57 AM


Create a rule in the firewall/router to the Internet that prevents everything but the DNS Redirector server from communicating outbound over TCP/UDP port 53 and 5353.

This prevents a user who deliberately changed their DNS server from bypassing your blocked list or getting out on the Internet.

In a hotspot environment, realize this rule may result in the occasional call to your support/helpdesk (the solution is always to have the user change their network adapter to "obtain automatically" for both IP address and DNS server). Implementing this rule will ensure that all users see your welcome site.

Resolution

On a Cisco PIX or ASA firewall the relevant configuration lines are...
(in this example ListenOnIP=192.168.0.2 in dnsredir.ini)
access-list inside_access_in permit tcp host 192.168.0.2 any eq domain
access-list inside_access_in permit udp host 192.168.0.2 any eq domain
access-list inside_access_in deny tcp any any eq domain
access-list inside_access_in deny udp any any eq domain
access-list inside_access_in deny tcp any any eq 5353
access-list inside_access_in deny udp any any eq 5353
access-group inside_access_in in interface inside
dhcpd dns 192.168.0.2
write mem

On the ZyXEL ZyWALL USG series of firewalls go to...
(in this example ListenOnIP=192.168.3.2 in dnsredir.ini which is assigned the name "lan1_dnsredir" under Object, Address)
Gears > Firewall
See screenshot of this ZyWALL USG config

On the Netgear FVS series of firewalls go to...
(in this example ListenOnIP=192.168.2.2 in dnsredir.ini)
Security > Firewall > LAN WAN rules (or DMZ WAN rules, depending on which interface your using)
See screenshot of the Netgear best method (blocking everything except the DNS Redirector server)
See screenshot of the Netgear alternate method (blocking just the range of IPs in the DHCP pool)

On a Linksys or other device with alternative firmware Tomato go to...
(in this example ListenOnIP=192.168.1.2 in dnsredir.ini)
Access Restriction > Add
Enabled: Check
Description: NoOtherDNS
Schedule: Check All Day, Check Everyday
Type: Normal Restriction
Applies To: All Except, 192.168.1.2
Blocked Resources: Uncheck Block All Internet Access
Add Rule: TCP/UDP, Dst Port, 53
IPP2P (disabled), Layer 7 (disabled)
OK
Add Rule: TCP/UDP, Dst Port, 5353
IPP2P (disabled), Layer 7 (disabled)
OK
Save
See screenshot of this Tomato config



Related articles
FAQ 115  Block sites from being accessed by IP address

 
DNS Redirector | Legal Information | 2003-2017