What's new

Static DNS force

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sambowomble

New Around Here
I looked through all the forums I could and didn't find an answer but if there is one posted I apologize. I have my DNS filtering through AIProtection running through OpenDNS Family which is providing protections for those computers getting DHCP. How can I force those who visit my network or other computers who program a static DNS into their system and using it, therefore no matter what, it has to feed through OpenDNS?
 
There is probably a way to do that. For example, by redirecting 8.8.8.8 (or whatever) to use safety DNS. However, if your guest is using the Tor Browser Bundle from his laptop or portable device, then you cannot see or redirect anything. His DNS requests get resolved remotely and all the traffic is encrypted.
 
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 53 -j DNAT --to 192.168.1.1

What this does is redirect alll DNS calls to dnsmasq on the router...
 
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 53 -j DNAT --to 192.168.1.1

What this does is redirect alll DNS calls to dnsmasq on the router...

This would be equivalent of setting the global DNSFilter setting to "Router" on the web interface.

Select clients that are specified below the global setting section can be configured to direct these to OpenDNS Family.
 
Let me be more clear - route global DNS to the restricted policy DNS host..

Then make exceptions for, let's say, parental/admin computers that have elevated privileges...

Always faster and better to lock things down global and then make exceptions, rather that leave things open on a global and try to close holes, locking down individual clients.

More efficient that way...
 
That was the intent...

What I meant is the iptables rules you posted are what the user can do using the webui-based DNSFilter - no need for manual iptables manipulations.

Screenshot
 
sfx - Lord of War...

rMerlin - No, you mean Warlord...

sfx - Well, yes, but I prefer it my way...

Less bits... and brutally efficient.. question asked and answered..

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 53 -j DNAT --to 192.168.1.1
vs...

dnsfilter.png
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top