Block all DNS accept DNS Server's

I’ve done my diligence and have been searching for an answer to my solution without being able to truly decipher how to do this. I am reaching out to the community for constructive guidance.

I want to block all DNS queries accept the ones that are specifically going to my dedicated DNS servers.

Does the below screen shot do this? I am waiting to implement it to minimize interruptions, I figured since I have a bit of time till then I would ask.

I think you do not need to block the packets, you can simply write a rule using DNAT to redirect all traffic for port 53 to your own servers. You can use as a model the following wiki entry.

2 Likes

Ok, Yes, I was thinking that. The part I got hung up on is that my DNS servers need to do a DNS lookup also for any IP’s it does not have. I haven’t tested it, But I assumed the rule would Re-direct its DNS lookups right back to it self?

The way I would address the problem is to create a firewall group of all your clients and use that as the source of your DNAT rule instead the whole green network. In alternative you can write a rule, coming before the DNAT rule, using as a source your DNS machines IPs to direct the DNS traffic to the red interface.

Thanks for the guidance. I think I might have it figured out. I happen to have two DNS server’s, Primary and Secondary. If I force port 53 to an IP, Than I cant use the secondary unless I setup some type of load balancing.

That is what I was trying the route of only allowing the two servers to forward DNS calls and block all other DNS traffic, Then deal with whatever I have on my network that for some reason insists going its own route.

Anyone with ideas, I am open?