Hello friends.
I have configured in my home network, that all users in network use OPEN DNS 208.67.222.222 and 208.67.220.220
which i did through DHCP Server. To Block bad sites..
Yesterday one of my friend came with his laptop , changed his dns settings manually and ... .... you can understand what he did after that.
So, Is there a way to restrict users to use the DNS i specified in DHCP Server.
I mean Even if they assign DNS manually my preferred DNS in Mikrotik should override.
Many Thanks
Re: Restict users to use specific DNS Address.
Yes.
You should:
1.- Set up your own DNS (tick IP > DNS: Allow remote requests
2.- Set up a firewall NAT dstnat rule to redirect all outgoing DNS requests (UDP port 53) to the routerboard (tip: action redirect)
So you will be catching all outgoing UDP requests to port 53 and bypassing them directly to your DNS.
An additional benefit: you will be caching all DNS requests so all hosts in your lan will make use of it, also users can setup up whatever external IPs in DNS, that it will actually work.
You should:
1.- Set up your own DNS (tick IP > DNS: Allow remote requests
2.- Set up a firewall NAT dstnat rule to redirect all outgoing DNS requests (UDP port 53) to the routerboard (tip: action redirect)
So you will be catching all outgoing UDP requests to port 53 and bypassing them directly to your DNS.
An additional benefit: you will be caching all DNS requests so all hosts in your lan will make use of it, also users can setup up whatever external IPs in DNS, that it will actually work.
Re: Restict users to use specific DNS Address.
Thanks for the hint.Yes.
You should:
1.- Set up your own DNS (tick IP > DNS: Allow remote requests
2.- Set up a firewall NAT dstnat rule to redirect all outgoing DNS requests (UDP port 53) to the routerboard (tip: action redirect)
So you will be catching all outgoing UDP requests to port 53 and bypassing them directly to your DNS.
An additional benefit: you will be caching all DNS requests so all hosts in your lan will make use of it, also users can setup up whatever external IPs in DNS, that it will actually work.
Re: Restict users to use specific DNS Address.
Worked great!![admin@MiktoTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
1 chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 log=no
log-prefix=""
[admin@MiktoTik] >
Re: Restict users to use specific DNS Address.
I would add a slight modification: add some restriction (i.e. specify the input interface) or it will be processed on all.
That will ease your firewall processing load.
For example if your LAN IP is 192.168.88.1, and traffic from your LAN will be entering through interface bridge1:
That will ease your firewall processing load.
For example if your LAN IP is 192.168.88.1, and traffic from your LAN will be entering through interface bridge1:
Code: Select all
add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-address=\
!192.168.88.1 dst-port=53 in-interface=bridge1 protocol=udp to-ports=53
-
-
boen_robot
Forum Guru
- Posts: 2400
- Joined:
- Location: europe://Bulgaria/Plovdiv
Re: Restict users to use specific DNS Address.
IMHO, capturing all non-local DNS traffic is a less error prone match, while being just as non-taxing:
Maybe also add an in-interface, but still... Adding an IP can be error prone, in that if you decide to change it for whatever reason, it won't update - interface names do update though.
Code: Select all
add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-address-type=!local dst-port=53 protocol=udp to-ports=53Re: Restict users to use specific DNS Address.
okay my dst-nat rule looks like this now
Thanks
I think i'm doing right.1 ;;; To Force use our DNS
chain=dstnat action=redirect to-ports=53 protocol=udp
dst-address-list=!local-lan dst-port=53 log=no log-prefix=""
Thanks