Community discussions

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Block DNS other than OpenDNS

Sat Dec 14, 2013 4:57 pm

All,

Looking to add a firewall rule on the output chain that blocks all DNS packets other than to OpenDNS IP addresses.

Am I correct in that I need to add 2 filter rules on the output chain to allow packets to the 2 OpenDNS IP addresses (1 per IP) and then a block rule that needs to be UNDERNEATH the 2 allow rules (so that it is applied after the others)?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
p00h
just joined
Posts: 14
Joined: Fri Aug 23, 2013 12:57 pm
Location: Russia, 74

Re: Block DNS other than OpenDNS

Sat Dec 14, 2013 5:05 pm

For machines from LAN behind router:

ros code

/ip firewall filter add chain=forward dst-address=1.1.1.1 dst-port=53 protocol=udp action=accept
/ip firewall filter add chain=forward dst-address=2.2.2.2 dst-port=53 protocol=udp action=accept
/ip firewall filter add chain=forward dst-port=53 protocol=udp action=drop
There is no need to apply filter to output chain, because it'll take effect for traffic from router itself.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Block DNS other than OpenDNS

Sat Dec 14, 2013 5:22 pm

Thanks, I'll try that tomorrow.

Edit: Working a treat :D
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)

Who is online

Users browsing this forum: No registered users and 66 guests