topic Re: Redirecting DNS in Firewall and Security Management

Redirecting DNS

Lockout888 — Sun, 20 Oct 2019 19:55:52 GMT

Running R80.30 for home use, and I want to force my kids devices to use OpenDNS Family Shield DNS Servers, while allowing other devices to use regular DNS Servers.

I was able to do this with DD-WRT via MAC address by using these commands. Even if the DNS Servers were changed on the device manually, they were forced to use Family Shield.

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p tcp --dport 53 -j DNAT --to 208.67.222.123

How do I accomplish this in GAIA?

Re: Redirecting DNS

PhoneBoy — Tue, 22 Oct 2019 21:23:51 GMT

You cannot write rules in terms of a MAC address in the Check Point security policy.
You can do it by IP and create NAT rules, however, with similar effect.

Re: Redirecting DNS

Maarten_Sjouw — Wed, 23 Oct 2019 09:01:08 GMT

Make sure in your DHCP the kids always get the same IP, then setup an NAT rule with service DNS and their source IP's (in a group) and in the translated add the correct destination DNS server IP.
In the original destination you can test to see if any is allowed, otherwise create a group with known 'Open' DNS servers like 1.1.1.1 Cloudflare, 8.8.8.8 Google, 208.67.220.220 OpenDNS and your providers' DNS servers.

Re: Redirecting DNS

Lockout888 — Sun, 27 Oct 2019 19:44:33 GMT

I have Original Source = IP Address Range. Original Service = DNS. Original Destination will not allow Any.

When I create a Group for Original Destination and add some common DNS Servers to it, I get this error:

- NAT Rule 9: You cannot use the Network Group (DNS_Common) as the Original Destination.
The Network Group is only valid if the value of the matching translated column is 'Original'.
- Policy verification failed.
--------------------------------------------------------------------------------

Re: Redirecting DNS

cezar_varlan1 — Tue, 05 Nov 2019 13:30:51 GMT

I have a similar case where some LAN computers have the CKP GW address as DNS. As this one is GAIA, and not GAIA Embedded, it does not support DNS forwarding. I have tried a NAT rule and it does not work properly.

Any ideas on how to approach this subject raised by the original poster?

It looks like bind-like is basic functionality yet it is missing in CKP. The previous firewall was pfSense and we replaced that. Now we have noticed we have some missing functionality - and yes we can just reconfigure all clients to use proper DNS but that is not the point. The point is rather to force unruly or rogue clients (maybe on wifi) to use a filtered or specific DNS and not whatever they like DNS

Re: Redirecting DNS

PhoneBoy — Tue, 05 Nov 2019 13:58:36 GMT

It seems to me the correct approach is to block DNS to all servers but the ones you want to allow in the Access Policy.
The one(s) allowed would be provided by DHCP.

Destination NAT must be a 1 to 1 mapping (i.e. you cannot map multiple destinations to a single one using a single rule).
If you have clients that MUST use a specific DNS server that's not a preferred one, you could create a specific NAT rule that routes the request to your preferred destination.
Something like:

Original Source: Client IP range
Original Destination: 8.8.8.8
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

Re: Redirecting DNS

John_Tomasetti — Tue, 21 Jan 2020 22:09:00 GMT

Yep. I have the same requirement.

RFE ID: WZD-515-34316

Re: Redirecting DNS

ClauberTeles — Sun, 01 May 2022 00:53:36 GMT

Hey @PhoneBoy
I know it's been a while since you posted this answer but I'm just replying to thank you. You're a lifesaver.

Re: Redirecting DNS

MariuszT — Tue, 13 Aug 2024 07:56:04 GMT

Hi,

I know that this topic is old, but... have anything changed in that matter? It would be nice to create only one NAT rule with source *any and prefered DNS server as destination, and not separate rules for each host.

Greetings,

Mariusz

Re: Redirecting DNS

PhoneBoy — Tue, 13 Aug 2024 14:41:39 GMT

As far as I know, nothing has changed.
However, the above rule might work better like this:

Original Source: All_Internet
Original Destination: All_Internet
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

This should translate any DNS packet traversing your gateway to your preferred DNS server hidden behind the gateway's external IP.
Whether this actually works is a separate question.

dnsmasq is also available, which appears to be enabled in R82 and possible to enable in other releases.
This could be configured as a forwarding DNS server.

Re: Redirecting DNS

MariuszT — Wed, 14 Aug 2024 04:10:11 GMT

The rule you provided is not accepted during policy installation. The error is the same if in source is used *any/network/group object. It is only allowed to put host object in source field.

Re: Redirecting DNS

PhoneBoy — Wed, 14 Aug 2024 12:47:09 GMT

You did not create the rule as I described.
The Translated Source must be changed to HIDE (not static as shown)
The Translated Destination must contain the specific DNS server you want to redirect requests to.

Re: Redirecting DNS

MariuszT — Wed, 14 Aug 2024 14:33:37 GMT

Hi, Thank you for the answer, but I'm not sure what do you mean... translated source (as on the picture in previous post) is in Hide mode (letter H on it). The translated destination is the DNS server in my LAB.

If this is wrong could you please share example how should it look like?

Re: Redirecting DNS

PhoneBoy — Wed, 14 Aug 2024 18:59:23 GMT

Destination should probably be "any" instead of All_Internet...I believe that should resolve the validation issue.