Different dns servers

Myron · October 27, 2010, 3:43am

Hello fewi i have some concern and question it is possible to point different dns servers. example, my RB450 has 5 ether port let say in ether2 (office network) >>> dst addrs to google dns and ether3 (engineering dept) >>> dst addrs to ultra dns. my concern is i want to divide specific port to block porn site, social networking etc etc thru public dns servers i am tired blocking and adding dst host in webproxy

thanks

fewi · October 27, 2010, 3:53am

Sure. Destination NAT can do that. Let’s say the office network behind the ether2 interface is to use a DNS server at 1.1.1.1 and the engineering department behind the ether4 interface is to use a DNS server at 2.2.2.2.

/ip firewall nat
add chain=dstnat in-interface=ether2 protocol=udp dst-port=53 action=dst-nat to-address=1.1.1.1
add chain=dstnat in-interface=ether2 protocol=tcp dst-port=53 action=dst-nat to-address=1.1.1.1
add chain=dstnat in-interface=ether4 protocol=udp dst-port=53 action=dst-nat to-address=2.2.2.2
add chain=dstnat in-interface=ether4 protocol=tcp dst-port=53 action=dst-nat to-address=2.2.2.2

That will enforce use of the DNS servers of your choice. DNS over TCP is relatively rare for normal users but possible so the rules include that.

Myron · October 27, 2010, 3:58am

fewi:

Sure. Destination NAT can do that. Let’s say the office network behind the ether2 interface is to use a DNS server at 1.1.1.1 and the engineering department behind the ether4 interface is to use a DNS server at 2.2.2.2.
/ip firewall nat
add chain=dstnat in-interface=ether2 protocol=udp dst-port=53 action=dst-nat to-address=1.1.1.1
add chain=dstnat in-interface=ether2 protocol=tcp dst-port=53 action=dst-nat to-address=1.1.1.1
add chain=dstnat in-interface=ether4 protocol=udp dst-port=53 action=dst-nat to-address=2.2.2.2
add chain=dstnat in-interface=ether4 protocol=tcp dst-port=53 action=dst-nat to-address=2.2.2.2
That will enforce use of the DNS servers of your choice. DNS over TCP is relatively rare for normal users but possible so the rules include that.

WOW fewi you did a quick response i will try now woooottttt!!!