Create a Post
Showing results for 
Search instead for 
Did you mean: 

Redirecting DNS

Running R80.30 for home use, and I want to force my kids devices to use OpenDNS Family Shield DNS Servers, while allowing other devices to use regular DNS Servers.

I was able to do this with DD-WRT via MAC address by using these commands. Even if the DNS Servers were changed on the device manually, they were forced to use Family Shield.

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p udp --dport 53 -j DNAT --to
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p tcp --dport 53 -j DNAT --to

How do I accomplish this in GAIA?


0 Kudos
6 Replies

You cannot write rules in terms of a MAC address in the Check Point security policy.
You can do it by IP and create NAT rules, however, with similar effect.
0 Kudos

Make sure in your DHCP the kids always get the same IP, then setup an NAT rule with service DNS and their source IP's (in a group) and in the translated add the correct destination DNS server IP.
In the original destination you can test to see if any is allowed, otherwise create a group with known 'Open' DNS servers like Cloudflare, Google, OpenDNS and your providers' DNS servers.
Regards, Maarten
0 Kudos

I have Original Source = IP Address Range.  Original Service = DNS. Original Destination will not allow Any.

When I create a Group for Original Destination and add some common DNS Servers to it, I get this error:

- NAT Rule 9: You cannot use the Network Group (DNS_Common) as the Original Destination.
The Network Group is only valid if the value of the matching translated column is 'Original'.
- Policy verification failed.

0 Kudos

I have a similar case where some LAN computers have the CKP GW address as DNS. As this one is GAIA, and not GAIA Embedded, it does not support DNS forwarding. I have tried a NAT rule and it does not work properly.

Any ideas on how to approach this subject raised by the original poster?

It looks like bind-like is basic functionality yet it is missing in CKP. The previous firewall was pfSense and we replaced that. Now we have noticed we have some missing functionality - and yes we can just reconfigure all clients to use proper DNS but that is not the point. The point is rather to force unruly or rogue clients (maybe on wifi) to use a filtered or specific DNS and not whatever they like DNS
0 Kudos

It seems to me the correct approach is to block DNS to all servers but the ones you want to allow in the Access Policy.
The one(s) allowed would be provided by DHCP.

Destination NAT must be a 1 to 1 mapping (i.e. you cannot map multiple destinations to a single one using a single rule).
If you have clients that MUST use a specific DNS server that's not a preferred one, you could create a specific NAT rule that routes the request to your preferred destination.
Something like:

Original Source: Client IP range
Original Destination:
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

Yep. I have the same requirement.

RFE ID: WZD-515-34316


0 Kudos