How to Control DNS on a Network with IPTables and DNAT

Most routers allow you to define the DNS server to be used by all devices on your network via DHCP (Dynamic Host Configuration Protocol). That's what makes it possible to use the CleanBrowsing content filtering service to protect all devices on the network.

 

While effective, there are instances where a network administrator might want to route all DNS requests to a preferred DNS filter. The use case may vary from dictating the preferred filtering technology, to preventing a user from making local DNS changes.

 

In these instances, if your router uses Linux you can SSH into the environment and use IPTables to leverage Destination Network Address Translation (DNAT) to control what DNS is used on the network.

Control DNS on Network with IPTables & DNAT

With iptables, you can create NAT (network address translation) rules to route all packets destined to a specific port to a different port and/or IP you choose.

 

For example, let's say a user in your network is doing a manual lookup to 8.8.8.8 (Google's DNS server):

 

$ dig +short www.google.com @8.8.8.8
142.250.188.4

 

The response is Google's unfiltered IP address. However, if on that specific desktop you add an output rule to forward all DNS requests to CleanBrowsing, you get a different response:

 

$ sudo iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to 185.228.168.168:53

$ dig +short www.google.com @8.8.8.8
216.239.38.120

 

As you can see, you got a different response, pointing to the IP 216.239.38.120 which is Google's safe search. The reason is that it redirect your DNS request to CleanBrowsing's family filter instead. You can confirm with another DNS lookup:

 

$ dig +short -t TXT iptest.whois.dnscontest.cleanbrowsing.org
"CleanBrowsing Whois: Datacenter: dns-edge-usa-west-la-c, Destination:185.228.168.168, ClientIP: XXX"

 

And you can try different DNS servers, but you will always be redirected to CleanBrowsing.

 

$ dig +short -t TXT iptest.whois.dnscontest.cleanbrowsing.org @8.8.8.8
"CleanBrowsing Whois: Datacenter: dns-edge-usa-west-la-c, Destination:185.228.168.168, ClientIP: XXX"

$ dig +short -t TXT iptest.whois.dnscontest.cleanbrowsing.org @1.1.1.1
"CleanBrowsing Whois: Datacenter: dns-edge-usa-west-la-c, Destination:185.228.168.168, ClientIP: XXX"

 

That's how many airports and hotels force you to use their DNS.

DNS Forwarding on a Network

The commands above work very well if you are on the same server. To apply it for all forwarded requests, you need to run the same command to the PREROUTING chain:

 

$ sudo iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to 185.228.168.168:53

 

I would also recommend to apply to ports 5353 and tcp traffic:

 

$ sudo iptables -t nat -I PREROUTING -p tcp --dport 53 -j DNAT --to 185.228.168.168:53
$ sudo iptables -t nat -I PREROUTING -p udp --dport 5353 -j DNAT --to 185.228.168.168:53

 

To get the most cases covered. If you are worried about DNS over HTTPS (or DNS over TLS), you can also forward ports 853 (for DoT) and block the most common providers that offer DoH. We will cover blocking DoH on a different article.

Content Filtering w/CleanBrowsing

CleanBrowsing provides a cost-effective DNS-based Content Filtering service that blocks access to unwanted content like malicious sites and online pornography.