Maybe allow only the DNS servers you want? For example:
Code:
iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 -d 8.8.8.8 -j ACCEPT
iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 -j REJECT
This can easily be expanded to allow more DNS servers as well as TCP queries. For example:
Code:
iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 -d 8.8.8.8 -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 53 -d 8.8.8.8 -j ACCEPT
iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 -d 8.8.4.4 -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 53 -d 8.8.4.4 -j ACCEPT
iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 -j REJECT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 53 -j REJECT
That said, if your DNS daemon is running on your LAN then you could just block all outbound port 53 traffic, like:
Code:
iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 -j REJECT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 53 -j REJECT