Redirect DNS Traffic to Loopback address OpenDNS

caytos1989 · ‎12-29-2010

Hello all,

I have a Catalyst 3560 as my core with multiple VLANs, then it goes through an ASA 5510, and after that it goes through a Router 3945.

My router is acting as a DNS server, which then forwards it to OpenDNS Servers.

My DHCP pools in my catalyst 3560 give out my routers' loopback address as the DNS Servers for ALL my clients.

Now my problems is that i have some tech geek clients, and all they do is change their DNS server to ANY dns server on the web, and they have access to all blocked sites...

I need a way to redirect ALL DNS traffic to MY Loopback address in my router...now i tried implementing a PBR in my catalyst..but i didnt find the ip policy route-map command under the interfaces....

I dont think it can be done on my ASA...

And i did this on my router, but didnt work...it cut off my internet connection:

ip dns server

ip name-server 208.67.222.222
ip name-server 208.67.220.220

ip access-list extended DNS
permit tcp any any eq domain
permit udp any any eq domain

route-map DNS permit 10
match ip address DNS
set ip next-hop 172.16.64.36

and applied it to my interface facing my LAN

rtjensen4 · ‎12-29-2010

You could save yourself the hastle and just block all DNS traffic that's not destined for your router's loopback. This can be done at pretty much any point in your network, either on the 3560, ASA or the internet router. This would ensure, no matter what, your users have to abide by your policy. If your internet router goes down and can't act as a DNS server, you won't have internet anyway (unless you have a redundant connection).