blocking dns

[Ish]

Hi

The DNS servers in my router are set to opendns. I have blocked outgoing traffic to port 53 in my router firewall yet I can still access websites.

I need to block access to DNS to test something. What am I doing wrong?

Thanks

[daibill]

If you block outbound dns requests how are you going to resolve dns requests from your DNS server and thus get to your web page? Take that rule off.

The router should have the isp's dns servers in there. If not put them in and that should be that.

[Ish]

That's what I am trying to do! I want to block access to the DNS servers which are set in my router.

I have outbound traffic to port 53 blocked but I can still access websites. What am I doing wrong?

[Null_Byte]

Well its not really going to work - what is it you are trying to achieve?

[Ish]

Ok, I have 1 pc's which are all connected to an adsl router via a 12 port switch.

All pc's are set to automatically get their ip and dns settings from the router.

The dns settings are set to:-

208.67.222.222
208.67.220.220

These are the www.opnedns.com servers which allow some filtering control etc.

What I have found on a couple of pc's is that people are manually entering different dns servers to bypass the opendns filtering.

I found this post http://johndball.blaize.net/2008/06/22/ ... bypassing/ which shows you how to stop this happening.

To make sure I was working with the right port I tried to block 53 as a test but as explained before this didn't work as I can still access websites.

[daibill]

I'd set the dns settings on the clients, then use local group policy to deny access to the networking properties. They cannot change the dns settings as the option will not be there for them to do it.

[Ish]

I'd set the dns settings on the clients, then use local group policy to deny access to the networking properties. They cannot change the dns settings as the option will not be there for them to do it.

I can't do this as sometimes people use their own personal laptops.

[daibill]

What deployment scenario have you got? business/home etc?

Got fixed ip addresses or dynamic from the ISP?

How critical is this solution?

How much do you want to spend?

How much time have you got?

[Ish]

What deployment scenario have you got? business/home etc?

It's for a charity run cummunity centre

Got fixed ip addresses or dynamic from the ISP?

Fixed IP

How critical is this solution?

Very

How much do you want to spend?

£0!

How much time have you got?

ASAP

I was hoping to beable to use the method mentiond at http://forums.opendns.com/comments.php? ... e=1#Item_8 which is why I tried to block port 53 to see if the second part of the rule would work

[daibill]

well those rules that are in that post would do it if ......

1) they are in the correct order
2) your router is capable of processing 2 rules on the same port..

try upgrading the firmware on the router first and try again.

my sugestion would have been to have 2 fixed ip addresses and put something like a cisco asa5505 between the router and lan using that to deploy dhcp and dns with the router and external interface of the firewall on seperate subnets. That would force the connecting machines to either use the specified dns servers or none at all. Changing the dns manually would not work as the asa would not allow it and they would drop off the network. They would soon learn after that.

[dreaddan]

Have you rebooted the pc since blocking DNS?
Windows (and most OSs) will cache the dns results.
Also what router are you using and what rules are you using - give us the text used.

[Ish]

I've got it working now but not with my netgear even though it has the latest firmware. On my router blocking the dns port doesn't stop dns traffic so I tried it with another model netgear I had and it works fine.