Force Users to use local DNS (SOLVED)

  • Hi everyone,

    I have to local DNS servers that every client at the office are supposed to go through. We use Active Directory so it is a must really. I noticed in the past that the guys changed their network card DNS to use something else hence bypassing my forwarding rules to OpenDNS… which blocks a lot of activities against policy. I can't remove their access to their network card settings as they are developers and need full access to their machines so what I would like to do is something like this... if possible:

    Check that any DNS queries coming in from the LAN originated from one of our 2 DNS servers. I would like a global rule affecting everyone as they all should be going through our 2 DNS servers on the LAN and then those forward the requests to OpenDNS.

    Anyone know the proper way of configuring such a rule(s).


  • Rebel Alliance Developer Netgate

    Just put a rule at the top of the LAN rules to pass traffic on tcp/udp port 53 only with a source address of your internal DNS servers. (An Alias containing your approved DNS servers would be ideal here)

    Then a rule to block tcp/udp port 53 from all machines on your LAN.

    and then your other LAN rules (allow all out, or whatever)

  • create a LAN rule to allow your domain controller full access to any:

    Pass Rule - Proto: any - Source: DC-IP - Port: any - Destination: any - Port: any

    below that rule create a LAN rule to block the LAN Net from getting to an external DNS server:

    Block Rule - Proto: TCP/UDP - Source: LAN Net - Port: any - Destination: any - Port: 53

    your last rule should be your Default LAN to any rule


  • Thanks guys. Those suggestions worked great.

Log in to reply