Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Untangler
    Join Date
    May 2008
    Posts
    31

    Default How to Block External Manually Entered DNS and force only to use the DSN in Untangle

    Hello,

    I would love some help doing this. By reading other threads it seems like it is possible. I just would love some screen shots. We are a small school and I do not have a lot of time to play with the firewall.

    In short we have some students that have would if they go into a computer and enter a manual DNS like Google DNS it will bypass the Open DNS Servers we have in Untangle.

    I did unclude a WAN screen shotWan Setup.JPG

    Thank You for the help.

  2. #2
    Untangler
    Join Date
    May 2008
    Posts
    31

    Default

    Somebody else posted this .... But i do not understand it 100% ... sorry for my ignorance.

    Pass traffic to DNS from Gateway
    Source address is 'DNS Servers'
    Source Interface is External
    Destination Interface is Internal
    Destination port is 53
    Protocol is UDP

    Pass DNS traffic to OpenDNS
    Destination address is 208.67.220.220 , 208.67.222.222
    Source interface is Internal
    Destination interface is External
    Destination Port is 53
    Protocol is UDP

    Block DNS traffic, all except OpenDNS
    Destination port is 53
    Protocol is TCP

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,582

    Default

    Thats much too complicated (and the first rule makes no sense)

    rule 1:
    protocol = tcp,udp
    destination port = 53
    destination address = 208.68.222.222,208.67.220.220
    allow

    rule 2:
    protocol tcp,udp
    destination port = 53
    block


    either firewall rules or filter rules will work
    firewall rules are better if you want this effect on only certain policies
    filter rules are more performant though if you just want this globally


    alternatively you can just block ALL port 53
    then their only option will be to use Untangle itself for DNS resolution.
    whether or not you want to go this route depends on your network
    Last edited by dmorris; 02-27-2018 at 12:10 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    May 2008
    Posts
    31

    Default

    Thank You for the help .... I will try it tomorrow.

    How would I block all for Port 53 in the Filter Rules ?


    Thanks Again

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,582

    Default

    protocol=tcp,udp
    destination port=53
    block
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    674

    Default

    You can also just make a port forward to forward any outbound DNS that is not to your approved servers back to Untangle, which will then only use your specified servers.

    The good part of doing that is that any clients that have hardcoded/unchangeable DNS (like some IoT devices) still work, but get redirected to your approved DNS automatically.

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,582

    Default

    Quote Originally Posted by JasonJoel View Post
    You can also just make a port forward to forward any outbound DNS that is not to your approved servers back to Untangle, which will then only use your specified servers.

    The good part of doing that is that any clients that have hardcoded/unchangeable DNS (like some IoT devices) still work, but get redirected to your approved DNS automatically.


    thats a good trick
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,594

    Default

    I'm considering doing the port-forward thing because we have a split-DNS where public-facing services resolve to an internal address if you look them up from within our network. People who have manually set, say, the Google DNS servers will end up trying to use the external IP. At best that results in hairpin traffic through Untangle. At worst, it doesn't work or even uses public internet bandwidth in both the upstream and downstream directions. Forwarding outbound DNS except my internal DNS servers to my internal DNS servers would stop that.

    I haven't pulled the trigger yet because I'm concerned about caching... that it will break our services when people who were just on campus take their devices off site (or even they just roam to 4G while walking through an open area on campus with no wifi). I probably should just do it... if this were going to be a problem, I'd already be hearing about it because the vast majority of my users don't manually set DNS and our already using our DNS servers.
    Last edited by jcoehoorn; 02-27-2018 at 08:21 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  9. #9
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    674

    Default

    There are probably multiple ways to do it, but here is my port forward. My main LAN is VLAN2 and I use the Untangle server (192.168.2.1) as my DNS normally - and in turn it is pointed to my ISP DNS.

    Capture.PNG

  10. #10
    Master Untangler
    Join Date
    Mar 2017
    Posts
    180

    Default

    Quote Originally Posted by dmorris View Post
    firewall rules are better if you want this effect on only certain policies
    filter rules are more performant though if you just want this globally
    It would be just great to have some sort of DNAT/Port Forward in the Firewall app to do these shenanigans on per-policy scenarios

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2