Hi,

We provide a public WiFi system and are using a Router board as our Gateway / Firewall. We also have our own DNS server which also provide content filtering and need to be able to stop all other DNS traffic on a specific vlan going out other than to our own server. i.e. stop clients from using A.N.Other DNS server other than the one provided via DHCP.

All clients get allocated an IP, GW and DNS address via a DHCP scope on vlan 101. We also have vlan 1 for our infrastructure which uses the internal Router board DNS server and a forwarder which i need to keep as is. The IP address assigned to clients is 10.1.1.0/24

I'm presuming i need a drop rule based on Vlan traffic 101 ( or subnet 10.1.1.0/24 ) for All outbound traffic using port 53, and then another rule only allowing Vlan 101 ( or subnet 10.1.1.0/24 ) port 53 traffic to our DNS server(s).

I'm not sure if this needs to be two rules or if i can combine it into 1. Also does 1 rule take precedence over another? If so what would be the correct order

I have looked at other posts, e.g https://wiki.mikrotik.com/wiki/Force_us ... DNS_server but this simply redirects all traffic to a specific DNS address where as i need it to work only on a specif Vlan. However we did try it ( changing the IP address to our external DNS server ) as a test based on all traffic and we couldn't get it working anyway

Of pointers would be appreciated.

Thanks

try this




replace 172.16.0.1 for your dns server ip adresss

Thanks @chechito

I'll try that in the morning. Just out of interest why is it set to in-interface. I presumed it would be out-interface due to the traffic going outbound.

Thanks for your help.

Also remember that DNS operates on both udp/53 and tcp/53, so you need two rules to block them both.

I set my router to use OpenDNS kid filter for DNS, then give out my router as the DNS server via DHCP. I then have firewall rules to block my kids from overriding DNS on their own computer, forcing them to use the router and therefore OpenDNS.

I have exception rules to allow a couple MAC addresses for devices I use exclusively.

Sent from my Pixel XL using Tapatalk

why is it set to in-interface. I presumed it would be out-interface due to the traffic going outbound.

The trick is to redirect the traffic to your own DNS already when it comes in to the router. If you would start handing it when it has been already routed outside, you could only block it but not redirect it to your DNS.

Makes sense, thanks @Sindy.

@Yotabitt - Thanks for the pointer, rule duplicated, changed to TCP and added.

Thanks everyone for your help