Force Users to use local DNS (SOLVED)
-
Hi everyone,
I have to local DNS servers that every client at the office are supposed to go through. We use Active Directory so it is a must really. I noticed in the past that the guys changed their network card DNS to use something else hence bypassing my forwarding rules to OpenDNS… which blocks a lot of activities against policy. I can't remove their access to their network card settings as they are developers and need full access to their machines so what I would like to do is something like this... if possible:
Check that any DNS queries coming in from the LAN originated from one of our 2 DNS servers. I would like a global rule affecting everyone as they all should be going through our 2 DNS servers on the LAN and then those forward the requests to OpenDNS.
Anyone know the proper way of configuring such a rule(s).
Thanks.
-
Just put a rule at the top of the LAN rules to pass traffic on tcp/udp port 53 only with a source address of your internal DNS servers. (An Alias containing your approved DNS servers would be ideal here)
Then a rule to block tcp/udp port 53 from all machines on your LAN.
and then your other LAN rules (allow all out, or whatever)
-
create a LAN rule to allow your domain controller full access to any:
Pass Rule - Proto: any - Source: DC-IP - Port: any - Destination: any - Port: any
below that rule create a LAN rule to block the LAN Net from getting to an external DNS server:
Block Rule - Proto: TCP/UDP - Source: LAN Net - Port: any - Destination: any - Port: 53
your last rule should be your Default LAN to any rule
Roy…
-
Thanks guys. Those suggestions worked great.
