Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 4921 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Force DNS traffic to 1 set of DNS servers

andywhite
A few smarter employees have been changing the DNS server settings on their computers.  Since they absolutely must have admin access on those pc's I need to be able to force all traffic associated with DNS to go to one pair of DNS servers.  (in this case DynDNS.)  

What's the best practice for such a thing?

I'm guessing forward all traffic on port 53... but not sure how to do it.


This thread was automatically locked due to age.
Parents
  • 0
    Hi, 

    use Astaro's DNS server and don't allow any other outbound DNS traffic 

    OR

    create a network group for the openDNS resolvers, and a couple of packetfilter rules:
    1. allow outbound DNS to the OpenDNS group
    2. drop or deny all dns traffic.

    #1 will allow the traffic, #2 will deny traffic to any other DNS servers

    Barry
  • 0 in reply to BarryG
    Barry: Could he not also do a Full NAT like the following?

    Traffic Source: Internal (Network)
    Traffic Service: DNS
    Traffic Destination: Any

    NAT mode: Full NAT

    Destination: DNS-Server
    Destination Service:

    Source: External (WAN) (Address)
    Source Service:

    I would think it'd transparently intercept any outgoing DNS requests and route them to the host(s) the OP chose. Would also get around having to explain to the users why they're not supposed to change DNS information. Like we don't already have enough on our plates. [;)]
Reply
  • 0 in reply to BarryG
    Barry: Could he not also do a Full NAT like the following?

    Traffic Source: Internal (Network)
    Traffic Service: DNS
    Traffic Destination: Any

    NAT mode: Full NAT

    Destination: DNS-Server
    Destination Service:

    Source: External (WAN) (Address)
    Source Service:

    I would think it'd transparently intercept any outgoing DNS requests and route them to the host(s) the OP chose. Would also get around having to explain to the users why they're not supposed to change DNS information. Like we don't already have enough on our plates. [;)]
Children
No Data