header image
 

Preventing OpenDNS Content Bypassing

There is an update at the end of this post.

gadget3 wrote on the OpenDNS forum:
“Hello,

I’m using opendns for a short time, but i cant solve the problem “using manuel dns”…
if user pc’s all settings are automatic, opendns works perfectly; but if a user change dns settings on his own pc with another dns he passes the open dns security system…
what can i do for this problem
thnx.”

This is an easy problem to fix for users of Untangle Firewall. You can see the rules from the picture. Green is outgoing GOOD DNS traffic, red is outgoing BAD DNS traffic.

1. Create a rule for your outgoing DNS traffic to OpenDNS servers. I created a seperate rule both both OpenDNS IP addresses (I like complicated).

  • Traffic Type: Any
  • Client Interface: Internal
  • Server Interface: Any (probably could be set to external, I haven’t tried it… it works for me)
  • Source Address: Any
  • Destination Address: (OpenDNS IPs)
  • Source Port: Any
  • Destination Port: 53

2. Create a rule for outgoing DNS traffic to ANY DNS server.

  • Traffic Type: Any
  • Client Interface: Internal
  • Server Interface: Any (probably could be set to external, I haven’t tried it… it works for me)
  • Source Address: Any
  • Destination Address: Any
  • Source Port: Any
  • Destination Port: 53

Save settings and TEST THE RULES. Note: If you route your DNS traffic through the Untangle Firewall for internal DNS servers or routed to DNS servers on your VPN you might need to tweak these rules. I haven’t had a problem with internal LAN routing to my three internal DNS servers.

In order to test your rules (and if you are using Windows): open a command prompt and type “ipconfig /flushdns” then press enter. Then type “ipconfig /registerdns” then press enter. Do a tracert to a website such as Dslreports.com. Type “tracert www.dslreports.com” and press enter. You should see “Tracing route to www.dslreports.com [IP ADDRESS]”

Now, open your network settings and manually set your DNS IP addresses to something other than automatic and/or OpenDNS servers, for example: 4.2.2.1 and 4.2.2.2 (Level3 DNS servers).

Do the same steps as above: open a command prompt and type “ipconfig /flushdns” then press enter. Then type “ipconfig /registerdns” then press enter. Do a tracert to a website such as Dslreports.com. Type “tracert www.dslreports.com” and press enter. You should get a message that reads “Unable to resolve target system name www.dslreports.com”.

There ya go, DNS bypassing prevented :)

Psst: P.S; don’t forget to set your DNS servers back to the original settings when you are done!

Update: These rules should be general in the sense that a Linksys, Netgear, or similar firewall application that allows for firewall rules, not just Untangle Firewall, should work. Just apply the “concept” to your firewall. Let me know how it works out!

~ by johndball on June 22, 2008.

One Response to “Preventing OpenDNS Content Bypassing”

  1. I don’t know what any of the above means, but I do know I miss you. & I also know that Iowa is just not the same without you… but it’s pretty weird to begin with.

    Lauren said this on July 21st, 2008 at 2:39 am

Leave a Reply