Blocking DNS requests with Shorewall to prevent OpenDNS Bypass

Here’s a way to block users from using a different DNS address other than your own local DNS server to bypass OpenDNS filtering. I’m currently using Shorewall in an Ubuntu 8.04 LTS server setup as my Firewall, Gateway and DNS, and works nicely. This should also work in 10.04 or other Ubuntu install that has Shorewall firewall. Side effect for the user will be that they wont be able to surf the net until they revert back to the assigned DNS to use.

In your Shorewall Rules file, add this above the other rules.


DNS/ACCEPT  $FW     net
DNS/ACCEPT  net     $FW
DNS/DROP    loc     net
DNS/DROP    net     loc

$FW is your firewall/gateway and in my setup my DNS. You can change $FW to loc:<dns_ip_address> if your DNS is located in another machine other than your gateway.

Have fun raining in on their parade 😉

P.S. You can add filters to allow certain IP or MAC addresses to use DNS outside (i.e. Google DNS ).

Leave a Reply

Your email address will not be published. Required fields are marked *