Redirecting DNS port to a specific DNS server
Solution 1
Are there any better solutions?
Yes - not doing it at all.
Messing with normal DNS resolution is almost never the right answer, whatever the problem is that you're trying to solve.
EDIT re: your update. You are inappropriately trying to use technology to solve a policy problem. Don't.
Solution 2
It's not working because the reply from your DNS server is bypassing the firewall. The clients will then (correctly) drop those responses as they don't match what was sent out.
You need to add another rule to your POSTROUTING table to SNAT the packets headed for the DNS server to the router's IP.
Alternatively, putting the DNS server on a separate network would solve the problem as the responses would be forced back through the router.
Solution 3
Why not just drop DNS traffic to any external DNS server? Those who explicitly specify an external server will simply notice that that isn't working.
Related videos on Youtube
10 : 44
11 : 53
10 : 29
06 : 05
02 : 23
clemens utschig
Updated on September 18, 2022Comments
-
clemens utschig almost 2 years
I use a ubuntu server as a router for my users on a NAT network. I want to force all users to use a local dns server setup on the network. Even if they use a public DNS server in their client machines, the DNS port should be redirected (DNAT) to my local DNS server. This is what I have come up with:
iptables -t nat -A PREROUTING -i eth5 -p udp --dport 53 -j DNAT --to 192.168.1.1:53 iptables -A FORWARD -d 192.168.1.1 -i eth5 -p udp --dport 53 -j ACCEPTThe interface facing NAT network is
eth5. The above rules were not working for me. Are there any better solutions?EDIT 1: My aim is to implement Opndns filter to prevent bittorrent traffic on the network. The filter is working quite well at present, and the users get the local dns server because they use DHCP. But I fear that they might discover a work around, like, specifying ip address and dns server ip's manually.
EDIT 2: The following code implements the feature on tomato firmware:
if (nvram_match("dns_intcpt", "1")) { ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n", lanaddr, lanmask, lanaddr, lanmask, lanaddr); }-
TPouliquen almost 13 yearsDoesn't answer your question, but thought it worthwhile to point out that DNS is not exclusively UDP -- if the answer to a query is > 512 bytes, it will switch to TCP.
-
Alnitak almost 13 years@Kanji more accurately, if the
TCbit is set in the response, it'll switch to TCP. RFC 2671 allowed for UDP responses longer than 512 bytes.
-
-
Steve Townsend almost 13 years+1 for 'not doing it at all'. KISS almost always wins. -
clemens utschig almost 13 yearsI was using tomato firmware earlier, and it had a DNS intercept feature. It worked extremely well. I monitor my network frequently. To detect bitorrent I use this command:
iftop -pPB -i eth5. If same port is being used by many WAN ip's, to connect to a LAN ip, then the traffic is bittorrent. And I used to ban those clients. So ultimately there was no bittorrent traffic on the network. Now, I use a ubuntu server as a router. So I am looking for a way to intercept the DNS port. -
Alnitak almost 13 yearsand a determined user will tunnel their DNS requests off net on a different port, or just use IPs, or any other number of work arounds. Policy problems are very rarely solved using technology - they are solved by having real sancations for breaches of those policies.
-
Jaap Eldering almost 13 years@Alnitak: of course this doesn't stop the very perseverant, but it's a simple measure that works reasonably well. That car theft is illegal doesn't mean you leave your car keys in the contact, right?
