dns interception

ewing · September 2017

Hi,
I want to force users to use specified DNS server, I need redirect all dns request to the zyxel . Is it possible?

Ian31 · September 2017

You can play a trick

To use NAT rule to redirect all tcp/udp port 53 traffic into USG.
Note: put this rule as the first rule, on top of the others

Image: https://us.v-cdn.net/6029482/uploads/editor/bs/py99akrh4pa2.jpg

Zyxel_Charlie · September 2017

Thanks for lan31's nice solution.
Hello ewing,
You can follow lan31's way to forcing all lan1 users do DNS query via USG DNS server.

Charlie

ewing · September 2017

Image: https://us.v-cdn.net/6029482/uploads/editor/a6/1kgr3inokt0d.png

if necessary, the firewall rule

Ian31 · September 2017

The firewall rule need to allow clients to DNS server port in USG.
In general case, the device firewall rule "LAN_to_Device" already cover it.
So you don't need to add another rule.

Of course, if you want to restrict the client to device access permission.
Then add the rule to allow to access the DNS ports(tcp/udp port 53) to USG.

kelmi · December 2017

Sorry, I'm not so educated with IP stuff. Why the User Defined Mapped IP address in the above example is 192.168.1.1? Why not the USG LAN1 IP address, if the purpose was to redirect all the queries from LAN1?

Regards
Kelmi

Ian31 · December 2017

You are right.

I forgot to note the screenshot was based on my USG setting which the lan1 ip address is 192.168.1.1

dns interception

Comments

Categories

Security Highlight

Security Help Center