Community discussions

MikroTik App
 
Fourthlaw
just joined
Topic Author
Posts: 1
Joined: Mon Sep 28, 2015 11:50 pm

Egress Filter DNS / Use only DHCP DNS Settings

Thu Jun 16, 2016 4:48 pm

Greets:  I searched but didn't see a specific post on this one--but maybe I missed it.  I would like to require all internal users to only use OpenDNS.  Here's the way I think it should work, but I wanted to get a sanity check before I try it in production.
  1. OpenDNS addresses set on the routerboard for DNS (208.67.222.222, 208.67.220.220)
  2. Gateway address (w.x.y.1) pushed out via DHCP as the only DNS server address (w.x.y.1).
  3. Allow tcp/udp 53 to w.x.y.1 on internal
  4. Block tcp/udp 53 on internal
Not sure if step three is necessary...it would be on the same network...  Appreciate any comments--pretty new to RouterOS, so be gentle with me :)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Egress Filter DNS / Use only DHCP DNS Settings

Thu Jun 16, 2016 6:11 pm

That's the right way to do it. Just to clarify item 4 - you want to block outgoing requests to tcp/udp port 53 in the forward chain, in-interface=LAN
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 521
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Egress Filter DNS / Use only DHCP DNS Settings

Thu Jun 16, 2016 6:32 pm

You can also add a nat rule to force dns requests to the router even if a client is sending the request to something else:
/ip firewall nat
add action=redirect chain=dstnat comment="redirect dns to router" dst-port=53 in-interface=localbridge protocol=udp
Hope that helps
Nick

Who is online

Users browsing this forum: PBondurant and 43 guests