Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

Preventing circumvention of OpenDNS with firewall rules

joelphilippage
Aspirant
Aspirant
‎2017-03-07 08:49 AM
‎2017-03-07 08:49 AM

Preventing circumvention of OpenDNS with firewall rules

Hi,

 

I am attempting to set up my FVS318Gv2 Firewall so it will block all DNS queries that are not from OpenDNS.

 

I was using this article for reference.

 

To do this, I created a list of outbound rules. The first two I have block all DNS for UDP and TCP. The next four allow DNS on OpenDNS IPs. According to the manual, this is the correct order

"you should place the most strict rules at the top"

 

My hope was that the allow rules would override the block rules. According to OpenDNS's Documentation:

"The first rule trumps the second rule, so anything requests to OpenDNS are allowed but any DNS requests to any other IP are blocked."

 

I've tried adding these in the reverse order and using port 53 instead of the built in services but whatever I try blocks all DNS requests.

 

Am I adding these rules wrong? What else could I try?

 

Here is a screenshot of my configuration (The block rules are disabled so people can use the internet, but were enabled for my setup)

Rules

 

Thank you!

-Joel

Model: FVS318Gv2|ProSafe gigabit 8 port VPN firewall
Message 1 of 6
0 Kudos
Reply

Accepted Solutions
joelphilippage
Aspirant
Aspirant
‎2017-03-07 12:00 PM
‎2017-03-07 12:00 PM

Re: Preventing circumvention of OpenDNS with firewall rules

Mainly a stupid mistake of putting the IPs in the LAN space instead of the WAN space. Also it seems the rules should be the other way. Seems a bit backwards to the way things usually work.

 

Here are my final settings for future reference:

Rules 2

View solution in original post

Message 2 of 6
0 Kudos
Reply

All Replies
joelphilippage
Aspirant
Aspirant
‎2017-03-07 12:00 PM
‎2017-03-07 12:00 PM

Re: Preventing circumvention of OpenDNS with firewall rules

Mainly a stupid mistake of putting the IPs in the LAN space instead of the WAN space. Also it seems the rules should be the other way. Seems a bit backwards to the way things usually work.

 

Here are my final settings for future reference:

Rules 2

Message 2 of 6
0 Kudos
Reply
JohnRo
NETGEAR Employee Retired
‎2017-03-07 02:05 PM
‎2017-03-07 02:05 PM

Re: Preventing circumvention of OpenDNS with firewall rules

Hello joelphilippage,

 

Thank you for sharing your solution with us. I suggest editing the image you have posted since they are showing public IP addresses (assuming these are your WAN addresses). If you post your WAN address on the internet, you are taking a very big risk of exposing your network to anyone. 

 

Thanks,

Message 3 of 6
0 Kudos
Reply
joelphilippage
Aspirant
Aspirant
‎2017-03-07 02:10 PM
‎2017-03-07 02:10 PM

Re: Preventing circumvention of OpenDNS with firewall rules

These are OpenDNSs Wan Addresses, not ours. Thanks for making sure.

Message 4 of 6
0 Kudos
Reply
dgordon11
Aspirant
Aspirant
‎2017-07-25 03:02 PM
‎2017-07-25 03:02 PM

Re: Preventing circumvention of OpenDNS with firewall rules

I have a question about your configuration.  I am trying to do the same thing.  Do you need to have the configuration in the inbound rules also?  I would thing it would just be outbound.

 

Thanks for posting your solution!!!!

 

D

Message 5 of 6
0 Kudos
Reply
joelphilippage
Aspirant
Aspirant
‎2017-07-25 07:37 PM
‎2017-07-25 07:37 PM

Re: Preventing circumvention of OpenDNS with firewall rules

No. I found that wasn't necessary.Thanks for checking.

Message 6 of 6
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 5 replies
  • ‎2017-03-07 08:49 AM
  • 5009 views
  • 0 kudos
  • 3 in conversation
Announcements