Restict users to use specific DNS Address.

zimbola · April 4, 2015, 8:33am

Hello friends.
I have configured in my home network, that all users in network use OPEN DNS 208.67.222.222 and 208.67.220.220
which i did through DHCP Server. To Block bad sites..
Yesterday one of my friend came with his laptop , changed his dns settings manually and … … you can understand what he did after that.
So, Is there a way to restrict users to use the DNS i specified in DHCP Server.
I mean Even if they assign DNS manually my preferred DNS in Mikrotik should override.
Many Thanks

pukkita · April 4, 2015, 1:38pm

Yes.

You should:

1.- Set up your own DNS (tick IP > DNS: Allow remote requests
2.- Set up a firewall NAT dstnat rule to redirect all outgoing DNS requests (UDP port 53) to the routerboard (tip: action redirect)

So you will be catching all outgoing UDP requests to port 53 and bypassing them directly to your DNS.

An additional benefit: you will be caching all DNS requests so all hosts in your lan will make use of it, also users can setup up whatever external IPs in DNS, that it will actually work.

zimbola · April 4, 2015, 2:03pm

Thanks for the hint.

zimbola · April 4, 2015, 2:25pm

[admin@MiktoTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here

1 chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 log=no
log-prefix=“”

[admin@MiktoTik] >

Worked great!!

pukkita · April 4, 2015, 8:42pm

I would add a slight modification: add some restriction (i.e. specify the input interface) or it will be processed on all.

That will ease your firewall processing load.

For example if your LAN IP is 192.168.88.1, and traffic from your LAN will be entering through interface bridge1:

add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-address=\
    !192.168.88.1 dst-port=53 in-interface=bridge1 protocol=udp to-ports=53

boen_robot · April 4, 2015, 8:52pm

IMHO, capturing all non-local DNS traffic is a less error prone match, while being just as non-taxing:

add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-address-type=!local dst-port=53 protocol=udp to-ports=53

Maybe also add an in-interface, but still… Adding an IP can be error prone, in that if you decide to change it for whatever reason, it won’t update - interface names do update though.

zimbola · April 5, 2015, 3:21am

okay my dst-nat rule looks like this now

1 ;;; To Force use our DNS
chain=dstnat action=redirect to-ports=53 protocol=udp
dst-address-list=!local-lan dst-port=53 log=no log-prefix=“”

I think i’m doing right.
Thanks