Reply
New Member
Posts: 2
Registered: ‎12-08-2014

force open dns servers

What I want to do is block all DNS queries unless they are going to the OpenDNS servers. I followed the guide here and here:

https://support.opendns.com/entries/26374985-Preventing-circumvention-of-OpenDNS-with-firewall-rules

http://community.ubnt.com/t5/EdgeMAX/block-outbound-DNS-requests-from-LAN-but-not-from-EdgeRouter/td...

and came up with the configuration I have which doesn’t work.

created ruleset ETH_IN

interface: eth2/in, eth2/out

default action: reject

 

rule 1:

Action: accept

Protocol: UDP

Destination IP: 208.67.222.222

Destination port : 53

 

Rule2:

Action: reject

Protocol: UDP

Destination port : 53

 

 

This seems logical to me but evidently I’m wrong. Can someone tell me what i'm doing wrong here?

New Member
Posts: 2
Registered: ‎12-08-2014

Re: force open dns servers

actually, i figured it out. in the ruleset, the default action needs to be "accept"

New Member
Posts: 4
Registered: ‎05-19-2015
Kudos: 1

Re: force open dns servers

As a better alternative IMHO, set up a dest NAT to redirect all dns traffic to either the local dns IP (which is then configured to use opendns) or to to opendns directly. 

 

The reaosn why this is better is because regardless of what someone has configured for their DNS server (google, isp, etc) it will just transparently send them to your secured connection, instead of just blocking it. You could do both, but it's kinda redudant at that point. If you use your F/W to just block udp 53 (dns) to anything but Opendns, people who might have a third party dns configured, or try to use google dns, will just fail. With a NAT rule, they'll succeed, totally obvlivious to the fact that they're still using opendns anyway.

 

See this thread for more info https://community.ubnt.com/t5/UniFi-Wireless/Redirect-all-DNS-to-OpenDNS/td-p/1038683

New Member
Posts: 4
Registered: ‎01-07-2016

Re: force open dns servers

I know this is an old thread, however I am still having trouble.  I am trying to do the same thing and redirect my DNS traffic regardless of the client side to the OpenDNS servers.  Here is what I have so far.  This config works, but if someone enters 8.8.8.8 or any other DNS server for their DNS, then they just get a page can't be displayed.  Instead I would like all traffic to redirect to the OpenDNS servers and it be seamless for the end user.  Please let me know how to correct this with the steps through the CLI or GUI so I can redirect instead of block.  Thank you.

opendns.jpg

New Member
Posts: 4
Registered: ‎05-19-2015
Kudos: 1

Re: force open dns servers

You've firewalled so only OpenDNS works. If you do that, unless you have OpenDNS configured as your resolver, you won't get DNS, since that is the only connection on 53 (DNS) that is allowed.

 

The link above is to transparently redirect all outbound 53 opendns, so regardless of what DNS you have configured, you get redirected to opendns anyway. There are ways around it, but for the most part this would transparently allow everyone to function, with opendns, regardless of how their DNS is configured. If you want that to happen, you need to use NAT rules, not the firewall rules above. (You can certainly do both, but the firewall rules would be redundant/unnecessary with NAT redirection rules in place)

New Member
Posts: 4
Registered: ‎01-07-2016

Re: force open dns servers

Thank you for your help and quick reply.  I would prefer to do it the way just informed me of through NAT and not the firewall rules then.  Here is something I created.  What do I need to add to make it work how you suggested?  The 172.16.0.1 is the local IP of my router and is also my DNS server that gets handed out to all of my cleints that connect via DHCP.  The router DNS is configured to use both OpenDNS servers.

opendns.jpg

Highlighted
New Member
Posts: 3
Registered: ‎08-08-2016
Kudos: 2

Re: force open dns servers

Hey @mhapp1203 incase you or anyone else is running into the same problem, here's the solution I interpreted from the other thread to enforce DNS redirect:

 

Screen Shot 2016-11-02 at 10.39.34 PM.png

 

 

My router's IP is 192.168.1.1 and I have eth1-4 configured as switch0.  Basically your rule was close; you have to use ! in dest address to say "redirect any address request over 53 that is NOT 192.168.1.1"

 

I am using dnsmasq forwarding that's why I have it translated to 192.168.1.1.  You can easily replace the address with any other DNS IP address.

Emerging Member
Posts: 82
Registered: ‎11-13-2013
Kudos: 4
Solutions: 4

Re: force open dns servers

Hi totallag, i'm not sure if i should try a new post or if i can just reply to this one, but i'll try it here

 

would you have any clear instructions to set the  Unifi Securtity Gateway version 5.3.8, to force users, to use open dns servers, also would like to block all vpn if thats possible.

 

my setup now is internet-usg-air router hp(using it as a switch)-4 unifi aps.  right now i can force users to use open dns with the firewall setting in the air router hp , but would like to do it in the usg. also i am real to new to this firewall settings stuff, thanks for helping us newbies out.

New Member
Posts: 27
Registered: ‎11-06-2015
Kudos: 20

Re: force open dns servers

I have posted complete instructions here to do this with a USG:

 

https://community.ubnt.com/ubnt/board/message?board.id=USG&message.id=33337#M33337

 

Thanks,

Tom

Emerging Member
Posts: 82
Registered: ‎11-13-2013
Kudos: 4
Solutions: 4

Re: force open dns servers

Is there any way i can do it in the Unifi Controller?

 i have never used SSH. shouldn't i be able to add a rule here on this screenshot?

2017-02-06.png

Senior Member
Posts: 4,260
Registered: ‎01-04-2017
Kudos: 592
Solutions: 205

Re: force open dns servers

[ Edited ]

Wrong forum, not to mention your attempting to resurrect a 2 year old post.

Emerging Member
Posts: 89
Registered: ‎06-19-2015
Kudos: 38

Re: force open dns servers

[ Edited ]

totallag wrote:

Hey @mhapp1203 incase you or anyone else is running into the same problem, here's the solution I interpreted from the other thread to enforce DNS redirect:

 

Screen Shot 2016-11-02 at 10.39.34 PM.png

 

 

My router's IP is 192.168.1.1 and I have eth1-4 configured as switch0.  Basically your rule was close; you have to use ! in dest address to say "redirect any address request over 53 that is NOT 192.168.1.1"

 

I am using dnsmasq forwarding that's why I have it translated to 192.168.1.1.  You can easily replace the address with any other DNS IP address.


 

This appears to work! Thank you! 

Now when I change the DNS on a workstation to say, 8.8.8.8, clear DNS cache, and then go to http://opendns.com/welcome  it still shows that we're using opendns. Awesome.

New Member
Posts: 12
Registered: ‎06-28-2016
Kudos: 6
Solutions: 2

Re: force open dns servers

[ Edited ]

Hello @totallag.

 

Do you know if intead of using the interface IP for the translation address, can I use 127.0.0.1 since I am using the dnsmaq on the edgerouter as the primary DNS?

 

Edit:

Maybe using 127.0.0.1 is not a good idea since I might have to also create firewall rules?

Emerging Member
Posts: 89
Registered: ‎06-19-2015
Kudos: 38

Re: force open dns servers

I don't think that will work using the local host IP of 127.0.0.1. This rule is matching traffic coming in from the LAN and no packets will travel on the LAN looking for 127.0.0.1

Reply