Block third party DNS usage by LAN devices?

Some devices ship with hard coded IP addresses for DNS resolvers (Chromecast uses Google Public DNS for example). Is there a practical way to require all LAN devices to use the Omnia’s resolver? I wish to restrict access to third-party DNS resolvers on my LAN.

In my case I’m running Pi-hole, a DNS ad blocker, in a LXC container for DNS lookups on my LAN. Everything should use only this for DNS lookups and I’m not sure of the best way to filter requests from LAN devices directly to IP addresses.

Blocking traffic to known resolvers such as leaves the possibility that devices could use third party resolvers I do not know about. I could block outbound port 53 traffic, but I would have to add an exception for the PI-hole. Is there a superior way?

I’m not concerned about any devices that stop working as a result of this change, all LAN devices must use the DNS resolver I choose.


Add rule to forward port 53 from LAN to pi-hole except pi-hole itself. By this every LAN device using own DNS will be forced to use pi-hole.


Can you please provide an example? Here’s what I have so far:

config 'redirect'
  option 'name' 'pi-hole'
  option 'src' 'lan'
  option 'proto' 'udp'
  option 'src_dport' '53'
  option 'dest_ip' ''
  option 'target' 'DNAT'
  option 'dest' 'wan'
1 Like

It seems OK. Just check if it is working or not.
Or you can do it directly via iptables.

1 Like

I had a situation where i wanted to do the same. Here was my working config:

 config redirect
          option name 'Override hardcoded DNS servers in IoT devices'
          option src 'iot'
          option proto 'tcpudp'
          option src_dport '53'
          option dest_ip ''
          option dest_port '53'

My advantage was that i had a different VLAN for my IoT devices, that you don’t seem to have. But i remember some years ago i tried to configure a transparent HTTP proxy, so that all HTTP traffic except from one device (the proxy host) was redirected to the proxy. I think there was an option where you could negate a dest_ip setting with the help of an exclamation mark. I do not know the actual syntax any more, but this can be googled, i think.

Interesting question. I’d try something like this:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to

1 Like

Hmmm. Or:
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to

1 Like

Yeah, much better :slight_smile:
I was assuming the reader would tweak those parameters. But the concept of the redirect is clear, I think.

1 Like