Hi David, From the Network -> Firewall tab
Deny LAN->EXT TCP/UDP 0/0 0/0 53
<<inline: dns.jpg>>
This applies for both IPv4 and IPv6 if enabled. TCP is seldom used, but best to also block it. Now for the extra credit, :-), this can't be done via the Firewall tab, but if you also add the AIF variable to your user.conf: LAN_INET_HOST_OPEN_UDP="0/0>208.67.222.222~53 0/0>208.67.220.220~53" That will allow the LAN to directly access the OpenDNS IPv4 servers with the Firewall tab rule applied, (also define LAN_INET_HOST_OPEN_TCP the same if you wish). IMHO not worth the effort, why not force all LAN users to use the local cacheing DNS server. Lonnie On Jul 15, 2012, at 4:01 PM, David Kerr wrote: > So, the OpenDNS was mentioned on this list a few days ago. I use this > service and the mention on this list prompted me to check my settings to make > sure that I was still appropriately blocking access to web site categories. > And it started me thinking... it would be easy for a savvy user to > reconfigure their client DNS settings such that it no longer pointed to > 192.168.1.1 (or whatever AstLinux is on your network, or whavever DHCP > returned_) and instead pointed to a public DNS server, maybe my ISP's DNS > server. > > So... is there a way to configure the AstLinux firewall to block DNS requests > from any internal client to any external DNS server? In other words, enforce > internal clients to use the AstLinux DNS server. For extra credit... a rule > that would never-the-less permit access to the OpenDNS servers 208.67.222.222 > and 208.67.220.220. > > Thanks, > David
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
