IPTables: block all dns requests except to the server(s) I specify

Kage_ · 12-13-2008, 01:47 PM

Hello,

I have been search for an answer for a while to this question so I hope that someone may have an answer.

I have a Linksys router running DD-WRT using OpenDNS instead of my ISPs DNS servers. I'm using OpenDNS mainly due to it's free filtering capabilities. Now I know that if a user is savy enough all they have to do is manually define there DNS servers on there machine and bypass the filtering.

What I would like to do is block all DNS requests on port 53, TCP/UDP, except to the servers that I specify which will be 208.67.222.222 and 208.67.220.220. This will prevent users from using an alternate DNS server and bypassing the filtering.

I'm new to IPTables, I can look at them and understand what the current tables are doing, but I'm having a hard time figuring out if I can even do what I want to do. Any help would be greatly appreciated. Also, if you can point me to some good starter tutorials for IPTables that would be great!

Thanks,

Kage_

Kage_ · 12-13-2008, 02:56 PM

Ok I have been playing and I'm not sure if this is correct at least it's a start. I'm not sure which chain I should insert the jump command into. The OUTPUT or possibly the FORWARD chain.

Code:

#Create Chain RejectDNS
iptables -N RejectDNS
#Set default to DROP
iptables -P RejectDNS DROP
#Specify allowed DNS servers drop any other requests
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.220.220 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.220.220 -j ACCEPT
#Upon matching Jump from the Forward? Output? chain to the RejectDNS chain
iptables -A FORWARD -p tcp --dport 53 -j RejectDNS
iptables -A FORWARD -p udp --dport 53 -j RejectDNS

Kage_ · 12-14-2008, 01:45 PM

Well I ended up with the command below, but it doesn't seem to be working. If I define another DNS server manually, besides the two OpenDNS servers, the DNS request is still making it through the firewall. Any help would be appreciated.

Code:

#Create Chain RejectDNS
iptables -N RejectDNS
#Flush Table
iptables -F RejectDNS
#Set default to DROP
iptables -P RejectDNS DROP
#Specify allowed DNS servers drop any other requests
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p tcp --dport 53 -d 208.67.220.220 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A RejectDNS -p udp --dport 53 -d 208.67.220.220 -j ACCEPT
#Upon matching Jump from the Forward? Output? chain to the RejectDNS chain
#iptables -A OUTPUT -p tcp --dport 53 -j RejectDNS
#iptables -A OUTPUT -p udp --dport 53 -j RejectDNS

Tinker06 · 12-14-2008, 05:42 PM

I was about to use my favorite iptables tool to produce an answer for you - then I noticed your interest in tutorials as well, so here is a much better answer:

fwbuilder

Install this package and play with it a bit. It may seem more involved than you need for this one problem, but I bet you fiddle with iptables much more when you see what complete code this tool generates while making it easy for you to see what it's doing. If you're trying to control creative users and/or hackers, this tool will become your best friend.

Cheers

dzmanto · 08-25-2019, 02:18 PM

Here's what I did using iptables on a Ubuntu 18.04 machine:

Code:

#iptables -A OUTPUT -d 208.67.222.123 -p udp -m udp --dport 53 -j ACCEPT 
#iptables -A OUTPUT -d 208.67.220.123 -p udp -m udp --dport 53 -j ACCEPT 
#iptables -A OUTPUT -p udp -m udp --dport 53 -j DROP

The solution can be made permanent by adding the following lines to /etc/iptables/rules.v4:

Code:

-A OUTPUT -d 208.67.222.123 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -d 208.67.220.123 -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -j DROP

Those lines are finally enabled by calling:

Code:

#iptables-restore < /etc/iptables/rules.v4