I was in a situation very much like this guy and I need to block access to other DNS from within our company network. Some coworkers are technology savvy enough to disable the static network configs on their workstations and in effect bypass our web filters.
Here’s what I did on our dd-wrt router:
1. Administration -> Commands (after typing the code below, click on Save Startup)
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
2. Administration -> Commands (after typing the codes below, click on Save Firewall)
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.0.0/24 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054 iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.0.0/24 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
azneita projects 
Your plan sounds idiotic. Let folks use what they want.
LikeLike
thanks for dropping by foo, really appreciate it. but as long as your not paying my salary, i’m blocking them.
LikeLike
Just so you know, you can do this with a lot less of a command.
iptables -I FORWARD 1 -p tcp –dport 53 -j DROP; iptables -I FORWARD 2 -p udp –dport 53 -j DROP
I did a blog post on this back in August. Basically as far as I understood, all you had to do was block port 53 through the router. This would block all external nameserver queries.
More info here:
http://bassmadrigal.com/blog/2008/08/17/disabling-secondary-dns-server-in-dd-wrt-for-opendns/
LikeLike