1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Allow only open dns servers on port 53 and block all other public DNS servers

Discussion in 'Tomato Firmware' started by onehomelist, Jan 29, 2010.

  1. onehomelist

    onehomelist Addicted to LI Member

    I want to just allow open dns server requests on my router with tomato firmware becuase I want to use site blocking feature of open dns. Is there a script that will allow me to block all the other public dns servers my users might use on the network?
  2. dougisfunny

    dougisfunny LI Guru Member

    You could try using the:
    Intercept DNS Port
    (UDP 53)

    Checkbox, on the Advanced -> DHCP/DNS page.
  3. onehomelist

    onehomelist Addicted to LI Member

    I tried it. Still it allows requests from other public dns servers.
  4. mstombs

    mstombs Network Guru Member

    That checkbox diverts all standard dns requests to the router dns proxy - so it will only use whatever you have configured the router to do.

    To get round this you would have to use public dns servers that accept dns requests on non-standard ports?
  5. mstombs

    mstombs Network Guru Member

    INPUT and OUTPUT will only interfere with the router dns proxy, direct requests to external dns servers use the FORWARD chain. Adding rules may not be effective if packets acepted by rules higher up in in filtering chain, consider using Insert to be sure your rules are checked first.

    Tomato puts the UDP destination port 53 divert into the "nat PREROUTING" chain. This works fine in a standard nat Gateway mode router, must be something different about your setup.
  6. onehomelist

    onehomelist Addicted to LI Member

    If I use the following script will it do the job

    iptables nat -A PREROUTING -p udp --dport 53 -d ! -j DROP
    iptables nat -A PREROUTING -p udp -s ! --sport 53 -j DROP
  7. jersully

    jersully LI Guru Member

    The Intercept DNS option works perfectly for me.
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are you sure? Using the intercept feature will make it look like it is allowing requests to other DNS servers, but it will be silently redirecting them to whatever you have configured for DNS on the router.
  9. onehomelist

    onehomelist Addicted to LI Member

    As SgtPepperKSU said checking Intercept DNS Port option really does the job. It appears like it's allowing access to other public servers. But, in reality, it is using the DNS servers I have set in the router. I came to know this when I accessed a blocked page at open dns, the page didn't open even though I had used Google dns server ip's on my client. Thanks. Sorry for troubling you with a silly question.
  10. jersully

    jersully LI Guru Member

    Right on. Your clients can be configured for any DNS server and the router will silently take the client request and send it to the DNS server it's configured for.

    If you would like to verify that, just configure your client for an invalid DNS and see if it still resolves.

Share This Page