Egress Filter DNS / Use only DHCP DNS Settings

Fourthlaw · June 16, 2016, 1:48pm

Greets: I searched but didn’t see a specific post on this one–but maybe I missed it. I would like to require all internal users to only use OpenDNS. Here’s the way I think it should work, but I wanted to get a sanity check before I try it in production.

OpenDNS addresses set on the routerboard for DNS (208.67.222.222, 208.67.220.220)
Gateway address (w.x.y.1) pushed out via DHCP as the only DNS server address (w.x.y.1).
Allow tcp/udp 53 to w.x.y.1 on internal
Block tcp/udp 53 on internal

Not sure if step three is necessary…it would be on the same network… Appreciate any comments–pretty new to RouterOS, so be gentle with me

ZeroByte · June 16, 2016, 3:11pm

That’s the right way to do it. Just to clarify item 4 - you want to block outgoing requests to tcp/udp port 53 in the forward chain, in-interface=LAN

nickshore · June 16, 2016, 3:32pm

You can also add a nat rule to force dns requests to the router even if a client is sending the request to something else:

/ip firewall nat
add action=redirect chain=dstnat comment="redirect dns to router" dst-port=53 in-interface=localbridge protocol=udp

Hope that helps
Nick