Make sure all users in network use my DNS server

Question

I'm running a router with DNS server and I would like to make sure that everybody in my network is actually using my DNS. What are the necessary iptables (?) to redirect all DNS-related traffic to my local DNS server?

Answer 1

You probably mean a kind of transparent forwarding, something which iptables calls Destination NAT:

ethL=eth0     # internal network NIC
dnsip=1.2.3.4 # IP of your DNS
iptables -t nat -A PREROUTING -p udp --dport 53 -i $ethL -j DNAT --to $dnsip

However, there are potential problems with this approach to consider:

• this is a variant of NAT with all the associated costs (pass-through performance, kernel memory &c);
• this will only work for packets which cross the router - clients who speak to a DNS server on their local IP network will continue to.

Answer 2

You'll want to block any outbound DNS traffic from your users except to your local DNS server, so something like this can get you started:

local_network=X.X.X.X/24 # IP address/subnet-mask of local network
dns_server=Y.Y.Y.Y # IP address of DNS server

iptables -A INPUT -s $local_network -d $dns_server -p udp --dport 53 -j ACCEPT
iptables -A INPUT -s $local_network ! -d $dns_server -p udp --dport 53 -j DROP
iptables -A OUTPUT -s $dns_server -d $local_network -p udp --sport 53 -j ACCEPT

If your DNS server is a caching/recursive DNS server, then you'll need to allow it to do external lookups as well:

iptables -A INPUT -d $dns_server -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -s $dns_server -p udp --dport 53 -j ACCEPT

Answer 3

You need to allow only DNS traffic from you DNS server and deny all other requests

# Allow DNS from your ip

iptables -A INPUT -p udp --dport 53 -s <source IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s <source IP> -j ACCEPT

# Deny all other requests

iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p tcp --dport 53 -j DROP

Check the Answer here Block all incoming DNS requests EXCEPT from IPs x,y,