Page 1 of 1

Block DNS other than OpenDNS

Posted: Sat Dec 14, 2013 4:57 pm
by sjoram
All,

Looking to add a firewall rule on the output chain that blocks all DNS packets other than to OpenDNS IP addresses.

Am I correct in that I need to add 2 filter rules on the output chain to allow packets to the 2 OpenDNS IP addresses (1 per IP) and then a block rule that needs to be UNDERNEATH the 2 allow rules (so that it is applied after the others)?

Re: Block DNS other than OpenDNS

Posted: Sat Dec 14, 2013 5:05 pm
by p00h
For machines from LAN behind router:

ros code

/ip firewall filter add chain=forward dst-address=1.1.1.1 dst-port=53 protocol=udp action=accept
/ip firewall filter add chain=forward dst-address=2.2.2.2 dst-port=53 protocol=udp action=accept
/ip firewall filter add chain=forward dst-port=53 protocol=udp action=drop
There is no need to apply filter to output chain, because it'll take effect for traffic from router itself.

Re: Block DNS other than OpenDNS

Posted: Sat Dec 14, 2013 5:22 pm
by sjoram
Thanks, I'll try that tomorrow.

Edit: Working a treat :D