Holidays are nice when you want to try something new.
In my case, I wanted to install a Pi-Hole.
If you never heard about Pi-Hole, it's a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.
My post isn't a How-to install/configure/... the thing.
Here we'll see how to create firewall rules on the Dream Machine Pro to refuse all DNS queries except the one to the Pi-Hole.
The first thing to do is to create two groups in the firewall settings.
One to specify the DNS port to block (53) and another one to contain the IP addresses that will be used to accept DNS queries (The Pi-Hole address and maybe some other DNS addresses).
I use groups to be able to add/remove address or port as I wish.
First group
- Name: DNS Port
- Type: Port
- Port value: 53
Second group
- Name: DNS to Accept
- Type: Address IPV4
- Address: The address of your PI-Hole and maybe some other public DNS addresses
When it's done, we need to create two firewall rules. One to block all outbound traffic to the port 53 and another one to accept all outbound traffic to the port 53 but only for the addresses we trust.
First rule
- Name: Accept DNS Group
- Rule applied: Before predefined rules
- Action: Accept
- Source Type: Address/Port group
- Source IPv4 Address Group: Any
- Source Port Group: Any
- Destination Type: Address/Port group
- Destination IPv4 Address Group: DNS to Accept (the second group we created)
- Destination Port Group: DNS Port (the first group we created)
Second rule
- Name: Drop other DNS
- Rule applied: Before predefined rules
- Action: Drop
- Source Type: Address/Port group
- Source IPv4 Address Group: Any
- Source Port Group: Any
- Destination Type: Address/Port group
- Destination IPv4 Address Group: Any
- Destination Port Group: DNS Port (the first group we created)
With these rules, the devices connected to our LAN will only use the DNS we trust and if a malware tries to bypass our DNS, it will be blocked by the second firewall rule.
comments powered by Disqus