Community discussions

 
Fourthlaw
just joined
Topic Author
Posts: 1
Joined: Mon Sep 28, 2015 11:50 pm

Egress Filter DNS / Use only DHCP DNS Settings

Thu Jun 16, 2016 4:48 pm

Greets:  I searched but didn't see a specific post on this one--but maybe I missed it.  I would like to require all internal users to only use OpenDNS.  Here's the way I think it should work, but I wanted to get a sanity check before I try it in production.
  1. OpenDNS addresses set on the routerboard for DNS (208.67.222.222, 208.67.220.220)
  2. Gateway address (w.x.y.1) pushed out via DHCP as the only DNS server address (w.x.y.1).
  3. Allow tcp/udp 53 to w.x.y.1 on internal
  4. Block tcp/udp 53 on internal
Not sure if step three is necessary...it would be on the same network...  Appreciate any comments--pretty new to RouterOS, so be gentle with me :)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Egress Filter DNS / Use only DHCP DNS Settings

Thu Jun 16, 2016 6:11 pm

That's the right way to do it. Just to clarify item 4 - you want to block outgoing requests to tcp/udp port 53 in the forward chain, in-interface=LAN
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Egress Filter DNS / Use only DHCP DNS Settings

Thu Jun 16, 2016 6:32 pm

You can also add a nat rule to force dns requests to the router even if a client is sending the request to something else:
/ip firewall nat
add action=redirect chain=dstnat comment="redirect dns to router" dst-port=53 in-interface=localbridge protocol=udp
Hope that helps
Nick
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)

Who is online

Users browsing this forum: No registered users and 24 guests