IPTables: block all dns requests except to the server(s) I specify
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPTables: block all dns requests except to the server(s) I specify
Hello,
I have been search for an answer for a while to this question so I hope that someone may have an answer.
I have a Linksys router running DD-WRT using OpenDNS instead of my ISPs DNS servers. I'm using OpenDNS mainly due to it's free filtering capabilities. Now I know that if a user is savy enough all they have to do is manually define there DNS servers on there machine and bypass the filtering.
What I would like to do is block all DNS requests on port 53, TCP/UDP, except to the servers that I specify which will be 208.67.222.222 and 208.67.220.220. This will prevent users from using an alternate DNS server and bypassing the filtering.
I'm new to IPTables, I can look at them and understand what the current tables are doing, but I'm having a hard time figuring out if I can even do what I want to do. Any help would be greatly appreciated. Also, if you can point me to some good starter tutorials for IPTables that would be great!
Ok I have been playing and I'm not sure if this is correct at least it's a start. I'm not sure which chain I should insert the jump command into. The OUTPUT or possibly the FORWARD chain.
Code:
#Create Chain RejectDNS
iptables -N RejectDNS
#Set default to DROP
iptables -P RejectDNS DROP
#Specify allowed DNS servers drop any other requests
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.220.220 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.220.220 -j ACCEPT
#Upon matching Jump from the Forward? Output? chain to the RejectDNS chain
iptables -A FORWARD -p tcp --dport 53 -j RejectDNS
iptables -A FORWARD -p udp --dport 53 -j RejectDNS
Well I ended up with the command below, but it doesn't seem to be working. If I define another DNS server manually, besides the two OpenDNS servers, the DNS request is still making it through the firewall. Any help would be appreciated.
Code:
#Create Chain RejectDNS
iptables -N RejectDNS
#Flush Table
iptables -F RejectDNS
#Set default to DROP
iptables -P RejectDNS DROP
#Specify allowed DNS servers drop any other requests
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.220.220 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.220.220 -j ACCEPT
#Upon matching Jump from the Forward? Output? chain to the RejectDNS chain
#iptables -A OUTPUT -p tcp --dport 53 -j RejectDNS
#iptables -A OUTPUT -p udp --dport 53 -j RejectDNS
I was about to use my favorite iptables tool to produce an answer for you - then I noticed your interest in tutorials as well, so here is a much better answer:
fwbuilder
Install this package and play with it a bit. It may seem more involved than you need for this one problem, but I bet you fiddle with iptables much more when you see what complete code this tool generates while making it easy for you to see what it's doing. If you're trying to control creative users and/or hackers, this tool will become your best friend.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.