Discussion stats
  • 5 replies
  • 3026 views
  • 0 kudos
  • 3 in conversation
Announcements

Reply
Highlighted
Aspirant

Preventing circumvention of OpenDNS with firewall rules

Hi,

 

I am attempting to set up my FVS318Gv2 Firewall so it will block all DNS queries that are not from OpenDNS.

 

I was using this article for reference.

 

To do this, I created a list of outbound rules. The first two I have block all DNS for UDP and TCP. The next four allow DNS on OpenDNS IPs. According to the manual, this is the correct order

"you should place the most strict rules at the top"

 

My hope was that the allow rules would override the block rules. According to OpenDNS's Documentation:

"The first rule trumps the second rule, so anything requests to OpenDNS are allowed but any DNS requests to any other IP are blocked."

 

I've tried adding these in the reverse order and using port 53 instead of the built in services but whatever I try blocks all DNS requests.

 

Am I adding these rules wrong? What else could I try?

 

Here is a screenshot of my configuration (The block rules are disabled so people can use the internet, but were enabled for my setup)

Rules

 

Thank you!

-Joel

Model: FVS318Gv2|ProSafe gigabit 8 port VPN firewall
Message 1 of 6

Accepted Solutions
Highlighted
Aspirant

Re: Preventing circumvention of OpenDNS with firewall rules

Mainly a stupid mistake of putting the IPs in the LAN space instead of the WAN space. Also it seems the rules should be the other way. Seems a bit backwards to the way things usually work.

 

Here are my final settings for future reference:

Rules 2

View solution in original post

Message 2 of 6

All Replies
Highlighted
Aspirant

Re: Preventing circumvention of OpenDNS with firewall rules

Mainly a stupid mistake of putting the IPs in the LAN space instead of the WAN space. Also it seems the rules should be the other way. Seems a bit backwards to the way things usually work.

 

Here are my final settings for future reference:

Rules 2

View solution in original post

Message 2 of 6
Highlighted
NETGEAR Employee Retired

Re: Preventing circumvention of OpenDNS with firewall rules

Hello joelphilippage,

 

Thank you for sharing your solution with us. I suggest editing the image you have posted since they are showing public IP addresses (assuming these are your WAN addresses). If you post your WAN address on the internet, you are taking a very big risk of exposing your network to anyone. 

 

Thanks,

JohnRo
NETGEAR® Community Team
Message 3 of 6
Highlighted
Aspirant

Re: Preventing circumvention of OpenDNS with firewall rules

These are OpenDNSs Wan Addresses, not ours. Thanks for making sure.

Message 4 of 6
Highlighted
Aspirant

Re: Preventing circumvention of OpenDNS with firewall rules

I have a question about your configuration.  I am trying to do the same thing.  Do you need to have the configuration in the inbound rules also?  I would thing it would just be outbound.

 

Thanks for posting your solution!!!!

 

D

Message 5 of 6
Highlighted
Aspirant

Re: Preventing circumvention of OpenDNS with firewall rules

No. I found that wasn't necessary.Thanks for checking.

Message 6 of 6