How to force certain clients to use certain DNS servers?

hm... not a case for the firewall i think...

set up a dhcp server for your network (19.20.21.0.. hm not a private adress hope you own these)

the dhcp server gives google dns servers out.

the 2 clients set up with fixed config using opendns-server.

on the firewall you need rules then which allows dns-traffic to the google dns and opendns-server.

there are many ways you can get your needs running... its just one quick way ;-)

Thank you zaphod for the reply.

Sorry, I just used any IP address to give the example.

The situation is that I do not want to set the fixed DNS server directly in the clients.

I come from running Asuswrt Merlin in a very old Asus router and here I can set this up very easily. But now I was trying to improve my home network security by using Sophos UTM. So I wonder if there was also an easy way to do this in the Sophos UTM.

They call it DNS-based filtering.

I have the central router dhcp server configured to 8.8.8.8 dns for the whole network.

But then, I have a few MAC addresses, to which the router leases static IPs, forced to use the OpnDNS server.

This works very well.

Regards and thank you again.

Hi, Jose, and welcome to the UTM Community!

Good question - this is possible, and can be done easily.

I would configure 'DNS' in the UTM and your network according to DNS best practice, but have only the subnets in 'Allowed Networks' that should use Google.  Then, use a DNAT or Full NAT that forwards all port 53 traffic to OpenDNS for the DNS requests coming from the IPs statically assigned.

You will learn that WebAdmin works mostly with CIDR notation, so this solution is easier to implement if your DHCP server has a simple CIDR block for the dynamically assigned IPs.  Note also that the UTM DHCP server does not use "reservations" as does Microsoft's - the dynamic range cannot overlap the range of statically-assigned addresses.

Cheers - Bob

Hi, Jose, and welcome to the UTM Community!

Good question - this is possible, and can be done easily.

I would configure 'DNS' in the UTM and your network according to DNS best practice, but have only the subnets in 'Allowed Networks' that should use Google.  Then, use a DNAT or Full NAT that forwards all port 53 traffic to OpenDNS for the DNS requests coming from the IPs statically assigned.

You will learn that WebAdmin works mostly with CIDR notation, so this solution is easier to implement if your DHCP server has a simple CIDR block for the dynamically assigned IPs.  Note also that the UTM DHCP server does not use "reservations" as does Microsoft's - the dynamic range cannot overlap the range of statically-assigned addresses.

Cheers - Bob

Thank you Bob for your reply.

I will give it a try. I already have the DNS configured according to the best practice as you suggest. However, I have only one subnet in my setup. I have all the eth ports and wlan working in bridge mode with a single subnet. I guess the DNAT or Full NAT rule should do the trick anyway, do you think otherwise?

Anyway, I will give it a try and report back.

Regards...