www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

DNS Proxy?

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
Nigrofasciatum



Joined: 08 Jul 2015
Posts: 5

PostPosted: Thu Jul 16, 2015 10:02 am    Post subject: DNS Proxy? Reply with quote

Hi,

Using ZS like Router/Firewall in my company, I want to redirect all DNS querys to my DNS Server (OpenDNS 208.67.222.222), even if the client has configured a static DNS server (ej 8.8.8.Cool. Itīs a way to secure and filter web contents.

Iīve configured DNS forwarder ANY (Server:208.67.222.222) but is not enough.

Its any way to do this with ZS?

Thanks
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Thu Jul 16, 2015 12:30 pm    Post subject: Aside from the obvious of blocking external DNS? Reply with quote

You'd have to set up two firewall rules: One on your input chain to allow traffic to your.zs.ip.addr/32:53 and one on your forwarding chain to deny traffic to 0.0.0.0/0:53. And then tell your users that using external DNS is against your terms of use.

That won't stop people from trying to use external DNS on nonstandard ports, assuming they're running a resolver that supports it. I wonder if there's a Layer 7 filter for DNS.
--
Back to top
View user's profile Send private message
Nigrofasciatum



Joined: 08 Jul 2015
Posts: 5

PostPosted: Fri Jul 17, 2015 3:02 pm    Post subject: Reply with quote

Thanks, but I was thinking in a way to set this process "transparent" for the users.

My problem is bigger if I deny all DNS traffic; I canīt control users configuration.

I dont want to deny traffic, only "redirect" the DNS request, like a proxy DNS .
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Fri Jul 17, 2015 5:37 pm    Post subject: What kind of network is this, anyway? Reply with quote

Is this a corporate network or a public access network, or something along those lines? I would have expected blocking everything and then using some kind of proxy server (transparent or otherwise) would be standard procedure.

If you're using DHCP you control the DNS settings for clients already. If someone really needs a static address you can do reservations or even hand-configure a device and still specify a local DNS server.

I guess I don't understand why a company network would even give the illusion of letting its users use external services directly.

If you're trying to get around geofencing though, keep me away from that.
--
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group