Page 1 of 1
Restict users to use specific DNS Address.
Posted: Sat Apr 04, 2015 11:33 am
by zimbola
Hello friends.
I have configured in my home network, that all users in network use OPEN DNS 208.67.222.222 and 208.67.220.220
which i did through DHCP Server. To Block bad sites..
Yesterday one of my friend came with his laptop , changed his dns settings manually and ... .... you can understand what he did after that.
So, Is there a way to restrict users to use the DNS i specified in DHCP Server.
I mean Even if they assign DNS manually my preferred DNS in Mikrotik should override.
Many Thanks
Re: Restict users to use specific DNS Address.
Posted: Sat Apr 04, 2015 4:38 pm
by pukkita
Yes.
You should:
1.- Set up your own DNS (tick IP > DNS: Allow remote requests
2.- Set up a firewall NAT dstnat rule to redirect all outgoing DNS requests (UDP port 53) to the routerboard (tip: action redirect)
So you will be catching all outgoing UDP requests to port 53 and bypassing them directly to your DNS.
An additional benefit: you will be caching all DNS requests so all hosts in your lan will make use of it, also users can setup up whatever external IPs in DNS, that it will actually work.
Re: Restict users to use specific DNS Address.
Posted: Sat Apr 04, 2015 5:03 pm
by zimbola
Yes.
You should:
1.- Set up your own DNS (tick IP > DNS: Allow remote requests
2.- Set up a firewall NAT dstnat rule to redirect all outgoing DNS requests (UDP port 53) to the routerboard (tip: action redirect)
So you will be catching all outgoing UDP requests to port 53 and bypassing them directly to your DNS.
An additional benefit: you will be caching all DNS requests so all hosts in your lan will make use of it, also users can setup up whatever external IPs in DNS, that it will actually work.
Thanks for the hint.
Re: Restict users to use specific DNS Address.
Posted: Sat Apr 04, 2015 5:25 pm
by zimbola
[admin@MiktoTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
1 chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 log=no
log-prefix=""
[admin@MiktoTik] >
Worked great!!
Re: Restict users to use specific DNS Address.
Posted: Sat Apr 04, 2015 11:42 pm
by pukkita
I would add a slight modification: add some restriction (i.e. specify the input interface) or it will be processed on all.
That will ease your firewall processing load.
For example if your LAN IP is 192.168.88.1, and traffic from your LAN will be entering through interface bridge1:
add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-address=\
!192.168.88.1 dst-port=53 in-interface=bridge1 protocol=udp to-ports=53
Re: Restict users to use specific DNS Address.
Posted: Sat Apr 04, 2015 11:52 pm
by boen_robot
IMHO, capturing all non-local DNS traffic is a less error prone match, while being just as non-taxing:
add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-address-type=!local dst-port=53 protocol=udp to-ports=53
Maybe also add an in-interface, but still... Adding an IP can be error prone, in that if you decide to change it for whatever reason, it won't update - interface names do update though.
Re: Restict users to use specific DNS Address.
Posted: Sun Apr 05, 2015 6:21 am
by zimbola
okay my dst-nat rule looks like this now
1 ;;; To Force use our DNS
chain=dstnat action=redirect to-ports=53 protocol=udp
dst-address-list=!local-lan dst-port=53 log=no log-prefix=""
I think i'm doing right.
Thanks