RV042 Default Firewall rules

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by jtimbr7546, Jul 22, 2008.

  1. jtimbr7546

    jtimbr7546 LI Guru Member

    I have an issue with the "default firewall" rules that cannot be changed. According to the documentation, DNS requests originating from the LAN side will always be allowed. What if i wanted to restrict DNS queries (outside of the network) to ONLY say, OpenDNS, and disallow port 53 (DNS) for anywhere else? I am using OpenDNS to manage certain security settings for my network and do not want them to be able to be easily bypassed. This seems that their default rule for handling DNS requests is a big security hole that needs to be fixed (or at least allow experienced users to change it).

    I already have OpenDNS default in the DHCP setting, so the user would have to willfully change it..but I just want this extra layer of protection. Thank you.
  2. Sfor

    Sfor Network Guru Member

    I see no problem here. You can block all the DNS traffic with one rule, while allowing DNS traffic to the OpenDNS server with another rule.

    The imprtant is the "allow" rule should be placed before the "block" rule. Because the router searches for the first rule applying to every packet.
  3. jtimbr7546

    jtimbr7546 LI Guru Member

    Thats exactly what i did. I then changed the DNS for my desktop to the Comcast DNS servers and it successfully responded. Theoretically the firewall should have stopped port 53 because it was not destined for OpenDNS. Apparently this is a default behavior in the router and to me is a huge security hole. Is there anyway of modding the firewall rules? I would rather not have to use a secondary hardware firewall..
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice