Block DNS requests

  • I've got a bunch of gizmos (with DHCP leases) apparently trying to skirt using a DHCP-assigned internal DNS and use external servers.  Chromecasts, camera gateways and other IoT-sort of gizmos.

    What are the downsides to blocking/redirecting them?  As in, would it be workable to set up an alias of the device IPs and set up a firewall rule to handle them?  Would setting up a passive port forward redirect back to an internal DNS server work?

    I've set up one rule with an alias for a group of hosts allowed DNS access.  Seems to work nicely.  They're successfully making direct external DNS queries.

    Also set up a rule with another alias of blocked hosts, without logging.  This to at least temporarily cut down on their spamming the log.

    Leaving a generic all other hosts blocked rule in place, to at least see what, if anything, else tries to make DNS queries directly.

    Any downsides to setting up a NAT port forward rule to redirect LAN requests on port 53 to an internal DNS server?  Do the port forward rules come after the regular firewall rules?

  • Rebel Alliance Developer Netgate

    Unless the DNS requests made by said gizmo can only come from their custom DNS server, there isn't really a downside to redirecting them.

    This is what I prefer to do:

    Any client that requests DNS from a remote address other than the firewall, gets redirected to the DNS service on the firewall (resolver or forwarder, pick your poison)

Log in to reply