Limit DNS requests to only OPEN DNS server - R201

Im offering filtered internet for customers using OPEN DNS or other filtered DNS. I want to create firewall rules for the r201 that will block any DNS requests that dont go to the IP of the OPEN DBS servers. Does anyone know how to do this? Shouldnt be too hard but so far cant get it to work

thanks !


Please allow us to review and reply your query. Shall get back shortly.




There is no option to add this rule  in security/web filter options of UI. We are planning to implement this feature upcoming release .

Please provide your email address to send  the work round  solution .



I can see two ways to do this. 

1) Rules in your network. 

You can redirect any traffic destined for port TCP/UDP 53, and from customers subscribing to your filtered service, to the opendns server. 

2) Rules in your routers

Set the default policy to drop

Rule 1 - LAN port 1-52 TCP/UDP ACCEPT

Rule 2 - LAN port 54-65535 TCP/UDP ACCEPT

Rule 3 - LAN port 53 TCP/UDP destination ip address x.x.x.x ACCEPT

This would effectively drop everything except non-dns traffic and dns traffic destined for the approved ip address. 

We use DHCP so with a bit more thinking i reckon we could do it in a way where all dns traffic destined for outside ip addresses is dropped, but still allow the router itself to dns relay to the dns server addresses defined in the DHCP process, because there are two seperate packets there. 

1) A packet comes in from the LAN and if addressed to the router it should be allowed, but if addressed to an outside ip address it should be dropped. 

2) The dns service inside the router re-creates a totally new packet which with the router being the source, it should be allowed to still talk to an outside dns server since the new packet never came in the lan port. 

The router of course will only relay to the dns server set by dhcp. 

There are still two issues

1) customers would be able to access the router and change the firewall rules unless you block access, and they cant use another router  

2) VPNs can bypass it

You cant really solve the VPNs but i would probably advise not allowing customer access (we dont) or the better way would be doing it in your network rather than at the customer site.