Yes I agree. Of course since turning on blocking I find that I have a VoIP
adapter that is remotely administered by "someone else" and it is pointing
to a external DNS server. Fortunately the logs identified this. So I need
to explicitly allow one internal IP to access an external DNS.
David
On Sun, Jul 15, 2012 at 6:57 PM, Lonnie Abelbeck
<[email protected]>wrote:
> David,
>
> Yes, blocking is best, the "iptables -t nat -A PREROUTING" technique
> described only works with IPv4, plus those rules would get a *lot* of
> matches.
>
> Lonnie
>
>
> On Jul 15, 2012, at 5:11 PM, David Kerr wrote:
>
> > Thanks lonnie. Blocking port 53 is the simplest way to go I think.
> Googling also turns up...
> > http://www.dd-wrt.com/wiki/index.php/OpenDNS
> > Scroll down that page and you find a way to intercept all port 53
> requests and send them somewhere else silently... so DNS requests
> satisfied, just not by the server the user expected.
> >
> > David
> >
> >
> > On Sun, Jul 15, 2012 at 6:00 PM, Lonnie Abelbeck <
> [email protected]> wrote:
> > Hi David,
> >
> > >From the Network -> Firewall tab
> >
> > Deny LAN->EXT TCP/UDP 0/0 0/0 53
> >
> >
> >
> >
> > This applies for both IPv4 and IPv6 if enabled. TCP is seldom used, but
> best to also block it.
> >
> >
> > Now for the extra credit, :-), this can't be done via the Firewall tab,
> but if you also add the AIF variable to your user.conf:
> >
> > LAN_INET_HOST_OPEN_UDP="0/0>208.67.222.222~53 0/0>208.67.220.220~53"
> >
> > That will allow the LAN to directly access the OpenDNS IPv4 servers with
> the Firewall tab rule applied, (also define LAN_INET_HOST_OPEN_TCP the same
> if you wish). IMHO not worth the effort, why not force all LAN users to use
> the local cacheing DNS server.
> >
> > Lonnie
> >
> >
> > On Jul 15, 2012, at 4:01 PM, David Kerr wrote:
> >
> > > So, the OpenDNS was mentioned on this list a few days ago. I use this
> service and the mention on this list prompted me to check my settings to
> make sure that I was still appropriately blocking access to web site
> categories. And it started me thinking... it would be easy for a savvy
> user to reconfigure their client DNS settings such that it no longer
> pointed to 192.168.1.1 (or whatever AstLinux is on your network, or
> whavever DHCP returned_) and instead pointed to a public DNS server, maybe
> my ISP's DNS server.
> > >
> > > So... is there a way to configure the AstLinux firewall to block DNS
> requests from any internal client to any external DNS server? In other
> words, enforce internal clients to use the AstLinux DNS server. For extra
> credit... a rule that would never-the-less permit access to the OpenDNS
> servers 208.67.222.222 and 208.67.220.220.
> > >
> > > Thanks,
> > > David
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
