Off the top of my head you'd need a custom rule along the lines of: iptables -A FORWARD -i $INTIF -m udp -p udp --dport 53 -d 208.67.222.222 -j ACCEPT iptables -A FORWARD -i $INTIF -m udp -p udp --dport 53 -d 208.67.220.220 -j ACCEPT iptables -A FORWARD -i $INTIF -m udp -p udp --dport 53 -j REJECT
# and for tcp for completeness iptables -A FORWARD -i $INTIF -m tcp -p tcp --dport 53 -d 208.67.222.222 -j ACCEPT iptables -A FORWARD -i $INTIF -m tcp -p tcp --dport 53 -d 208.67.220.220 -j ACCEPT iptables -A FORWARD -i $INTIF -m tcp -p tcp --dport 53 -j REJECT Ideally you'd simply drop all packets bound for dport 53 in the FORWARD table. That would keep clients from using anything but your local dnsmasq instance (and whatever upstream dns servers you have specified there). I'm sure Lonnie or someone else can make this more "Arno friendly" ;). On Sun, Jul 15, 2012 at 5:01 PM, David Kerr <[email protected]> wrote: > So, the OpenDNS was mentioned on this list a few days ago. I use this > service and the mention on this list prompted me to check my settings to > make sure that I was still appropriately blocking access to web site > categories. And it started me thinking... it would be easy for a savvy user > to reconfigure their client DNS settings such that it no longer pointed to > 192.168.1.1 (or whatever AstLinux is on your network, or whavever DHCP > returned_) and instead pointed to a public DNS server, maybe my ISP's DNS > server. > > So... is there a way to configure the AstLinux firewall to block DNS > requests from any internal client to any external DNS server? In other > words, enforce internal clients to use the AstLinux DNS server. For extra > credit... a rule that would never-the-less permit access to the OpenDNS > servers 208.67.222.222 and 208.67.220.220. > > Thanks, > David > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. -- Kristian Kielhofner ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
