Preventing OpenDNS Content Bypassing
There is an update at the end of this post.
gadget3 wrote on the OpenDNS forum:
“Hello,
I’m using opendns for a short time, but i cant solve the problem “using manuel dns”…
if user pc’s all settings are automatic, opendns works perfectly; but if a user change dns settings on his own pc with another dns he passes the open dns security system…
what can i do for this problem
thnx.”
This is an easy problem to fix for users of Untangle Firewall. You can see the rules from the picture. Green is outgoing GOOD DNS traffic, red is outgoing BAD DNS traffic.
1. Create a rule for your outgoing DNS traffic to OpenDNS servers. I created a seperate rule both both OpenDNS IP addresses (I like complicated).
- Traffic Type: Any
- Client Interface: Internal
- Server Interface: Any (probably could be set to external, I haven’t tried it… it works for me)
- Source Address: Any
- Destination Address: (OpenDNS IPs)
- Source Port: Any
- Destination Port: 53
2. Create a rule for outgoing DNS traffic to ANY DNS server.
- Traffic Type: Any
- Client Interface: Internal
- Server Interface: Any (probably could be set to external, I haven’t tried it… it works for me)
- Source Address: Any
- Destination Address: Any
- Source Port: Any
- Destination Port: 53
Save settings and TEST THE RULES. Note: If you route your DNS traffic through the Untangle Firewall for internal DNS servers or routed to DNS servers on your VPN you might need to tweak these rules. I haven’t had a problem with internal LAN routing to my three internal DNS servers.
In order to test your rules (and if you are using Windows): open a command prompt and type “ipconfig /flushdns” then press enter. Then type “ipconfig /registerdns” then press enter. Do a tracert to a website such as Dslreports.com. Type “tracert www.dslreports.com” and press enter. You should see “Tracing route to www.dslreports.com [IP ADDRESS]”
Now, open your network settings and manually set your DNS IP addresses to something other than automatic and/or OpenDNS servers, for example: 4.2.2.1 and 4.2.2.2 (Level3 DNS servers).
Do the same steps as above: open a command prompt and type “ipconfig /flushdns” then press enter. Then type “ipconfig /registerdns” then press enter. Do a tracert to a website such as Dslreports.com. Type “tracert www.dslreports.com” and press enter. You should get a message that reads “Unable to resolve target system name www.dslreports.com”.
There ya go, DNS bypassing prevented 
Psst: P.S; don’t forget to set your DNS servers back to the original settings when you are done!
Update: These rules should be general in the sense that a Linksys, Netgear, or similar firewall application that allows for firewall rules, not just Untangle Firewall, should work. Just apply the “concept” to your firewall. Let me know how it works out!
I don’t know what any of the above means, but I do know I miss you. & I also know that Iowa is just not the same without you… but it’s pretty weird to begin with.
Lauren said this on July 21st, 2008 at 02:39
For the sake of having the cleanest rules, DNS queries are UDP traffic, so you can use UDP instead of ANY for the traffic type.
John Evans said this on September 25th, 2008 at 13:39
Update to this thread @ Untangle Forums: http://forums.untangle.com/showthread.php?t=5154
johndball said this on December 4th, 2008 at 14:08