How to force network clients to use specific DNS server?

blackguyza · Apr 27, 2024

I am a network administrator at a high school and after setting up a pi-hole to restrict access to certain websites I realized that some learners are able to bypass the settings by changing the DNS settings on their mobile phones to something like 8.8.8.8.

I am running an Ubuntu 20.04.6 LTS server as the DHCP server.

My pi-hole is running on another Ubuntu server and this is our school's main DNS server used to block traffic from unwanted websites.

grim42 · Apr 27, 2024

You can intercept DNS requests and redirect them to your internal DNS server. That needs to be done on the router (is your DHCP server also your router?).

For example, something along these lines using iptables (although this will depend on how your firewall is setup):
iptables -t nat -A PREROUTING -i <interface> -p udp --dport 53 -j DNAT --to <DNS_server_IP>:53

Clean Green · Apr 27, 2024

grim42 said:
You can intercept DNS requests and redirect them to your internal DNS server. That needs to be done on the router (is your DHCP server also your router?).

For example, something along these lines using iptables (although this will depend on how your firewall is setup):
iptables -t nat -A PREROUTING -i <interface> -p udp --dport 53 -j DNAT --to <DNS_server_IP>:53

What is the plan with DoH?

bwana · Apr 27, 2024

Why are you letting phones in the network in the first place?

blackguyza · Apr 27, 2024

bwana said:
Why are you letting phones in the network in the first place?

Because we have a shortage of computer resources at school and the better way is to allow learners to use their phones to access the internet and download past question papers, do their assignments, etc.

lkpat · Apr 27, 2024

The solution depends on your gateway/router and what it’s capable of.

Speedster · Apr 27, 2024

If it was me, I'd do a couple of things. First I'd switch out pi-hole for adguard home. Then I'll see which devices are connecting but not using adguard and ban them.

SauRoNZA · Apr 27, 2024

Simply block port 53 for everything but your own DNS server.

Or if your infrastructure allows it automatically forward that traffic to your own server.

blackguyza · May 1, 2024

lkpat said:
The solution depends on your gateway/router and what it’s capable of.

My gateway and router is a Linux OS (Ubuntu 20.04) so it capable of everything. I just don't know what to setup and how.

blackguyza · May 1, 2024

lkpat said:
The solution depends on your gateway/router and what it’s capable of.

My gateway and router is a Linux OS (Ubuntu 20.04) so it capable of everything. I just don't know what to setup and how.

StefanB7 · May 1, 2024

How about using pfsense on the router, then you could use something like pfBlocker-NG

Edit: Looks like not recommended, check video

r00igev@@r · May 1, 2024

blackguyza said:
My gateway and router is a Linux OS (Ubuntu 20.04) so it capable of everything. I just don't know what to setup and how.

You can run a blacklist for known DOH servers. I created a script called DNSgate for that. Google it.
Also to block phones just kill port 853. Phones use DOT.

longboy · May 1, 2024

You are going about this the wrong way. You do not need to block anything - you need to find the kinners who are viewing porn and take the cane to them.

r00igev@@r · May 1, 2024

This is the Linux script:

DNSgate - script to block access to DoH so that a business is able to implement content filtering

Keep your network secure with DNSgate on Linux! ️ This article walks you through the simple steps to deploy DNSgate, a powerful configuration script that blocks network access to DNS over HTTPS (DOH). Say goodbye to potential security risks and take control of your network's DNS traffic!

hubandspoke.amastelek.com

Bliksis · May 1, 2024

Aghori said:
You are going about this the wrong way. You do not need to block anything - you need to find the kinners who are viewing porn and take the cane to them.

And those that download Linux distros

nslalu · May 10, 2024

blackguyza said:
My gateway and router is a Linux OS (Ubuntu 20.04) so it capable of everything. I just don't know what to setup and how.

Persosnally I with get a mikrotik ( a lot easier to set rules etc than using Linux FW)
and DNS filtering subscription

gregmcc · May 10, 2024

Setup a FW rule to block external DNS requests out and only allow the pihole out.

getafix33 · May 12, 2024

pFsense firewall rule

Join the MyBroadband community

Get started

How to force network clients to use specific DNS server?

blackguyza

Well-Known Member

grim42

Active Member

Clean Green

Senior Member

bwana

MyBroadband

blackguyza

Well-Known Member

lkpat

Executive Member

Speedster

Honorary Master

SauRoNZA

Honorary Master

blackguyza

Well-Known Member

blackguyza

Well-Known Member

StefanB7

Well-Known Member

r00igev@@r

Honorary Master

longboy

Honorary Master

r00igev@@r

Honorary Master

DNSgate - script to block access to DoH so that a business is able to implement content filtering

Bliksis

Honorary Master

nslalu

Member

gregmcc

Honorary Master

getafix33

Expert Member