Category: Initial setup | Updated: 3/25/2010 10:46:55 AM | Read: 2328 (Last: 9/4/2010 9:29:49 AM) You should create a rule in the firewall/router to the Internet that prevents the range of IP addresses handed out by DHCP from communicating outbound over TCP/UDP port 53.
This prevents an extremely clever person, who intentionally changed their default DNS server to something other than DNS Redirector, from bypassing your blocked list or getting out on the Internet.
Resolution
In these examples we assume that ListenOnIP=192.168.0.2 in dnsredir.ini You may need to change the IP below to reflect your setting.
On a Cisco PIX firewall with IOS v6.3(5) the relevant configuration lines are... nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list inside_access_in permit tcp host 192.168.0.2 any eq domain access-list inside_access_in permit udp host 192.168.0.2 any eq domain access-list inside_access_in deny tcp any any eq domain access-list inside_access_in deny udp any any eq domain access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any access-list outside_access_in permit icmp any any access-list outside_access_in deny ip any any access-group outside_access_in in interface outside access-group inside_access_in in interface inside dhcpd dns 192.168.0.2 write mem
On a Linksys or Buffalo device with alternative firmware Tomato v1.13 go to... Access Restriction > Add Enabled: Check Description: NoOtherDNS Schedule: Check All Day, Check Everyday Type: Normal Restriction Applies To: All Except, 192.168.0.2 Blocked Resources: Uncheck Block All Internet Access Rules: TCP/UDP, Any Port, [leave 3rd field blank] IPP2P (disabled), dns OK > Save
On a device using alternative firmware DD-WRT... Under Administration go to the Commands tab In the Commands box paste the following: iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to 192.168.0.2 iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to 192.168.0.2 Click Save Firewall (WAN interface will be restarted)
Was this article helpful? Votes so far: 52% in 966
/12 