Posted: Sat Dec 26, 2020 5:20 Post subject: Firewall rule to forward DNS calls to specific DNS server
I have been setting up DNSFilter (was using OpenDNS) and have set the DNS servers into the router.
I have also set up rules for blacklists and whitelists on DNSFilter.
All of that is working.
Now I am trying to set up DNS forwarding as per the 2 settings which DNSFilter provide.
This is to prevent anyone on the network from changing their DNS settings to use another DNS provider.
I have added this to the Firewall rules from a CMD window
Then when doing an
iptables -t nat -L ---- the following is displayed
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT udp -- anywhere anywhere udp dpt:dns to:103.247.36.36:53
DNAT tcp -- anywhere anywhere tcp dpt:dns to:103.247.36.36:53
As a test to see if it works, I have changed one device to use DNS 8.8.8.8 and then have tried to access a blocked site.
Instead of getting the blocked page, I can still access the site.
Can someone tell me if the 2 firewall rules are correct for dd-wrt or if they requires something to be changed? _________________ Router Model Netgear XR500
DD-WRT v3.0-r43217 std (05/22/20)
Linux 4.9.224 #554 SMP Thu May 21 01:25:03 +03 2020 armv7l
DNScrypt
NMON
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sat Dec 26, 2020 8:22 Post subject:
for blocking other DNS's use force DNS option form basic setup page down at the bottom, make sure you use DNSmasq...
add those lines in advanced DNSmasq rules
no-resolv
server=103.247.36.36
or what ever server you want...
do keep in mind for those devices that have baked 8.8.8.8
the only thing you can do is add those lines in commands (safe firewall script)
192.168.1.103 suppose to be the IP of your device, change it to what ever you've given to those..
do keep in mind some of those may even have baked 8.8.8.8 that uses TLS encryption or HTTPS and those are hard
to mitigate...as they go encrypted... than those lines will not work _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sat Dec 26, 2020 17:34 Post subject:
@alozaros is right that "force DNS" and the "no-resolv" (no "e") and "server=..." lines are all you need. You can use more than one "server=..." line if you want to use multiple servers. If you want them to be tried in order, there's a GUI button for it, but the one you want to try first should have its "server=..." last, as DNSMasq reverses things.
You don't even need the iptables commands, as the "force" checkbox in the GUI causes dd-wrt to insert the rules for you. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.