Is there any way to prevent clients from changing the DNS servers on their side?

Is there any way to prevent clients from changing the DNS servers on their side?

Is there any way to prevent clients from changing the DNS servers on their side?
Is there any way to prevent clients from changing the DNS servers on their side?
2024-05-08 13:14:57 - last edited 2024-05-08 13:20:54
Model: OC200  
Hardware Version: V1
Firmware Version: Latest

Is there any way to prevent clients from changing the DNS Servers on their side?

 

CONTEXT:

I am running an AdGuardHome DNS server. All my adblocking and filtering are done in AdGuardHome.

If some "techy" or IT client connects to my network and want to bypass all DNS-level filtering I've configured, then they can just change their DNS servers on their individual devices to any public DNS such as 1.1.1.1.

 

WHAT I WANT TO ACHIEVE:

I want all traffic will pass through my AdGuardHome DNS server, and whoever changes the DNS servers on their side to anything but my AGH DNS servers will lose internet connection.

 

Is this possible in the ACLs?

 

  0      
  0      
#1
Options
5 Reply
Re:Is there any way to prevent clients from changing the DNS servers on their side?
2024-05-08 13:44:52

  @ceejaybassist 

 

block port 53 from LAN to WAN, and allow adguard server only in router ACL

 

  0  
  0  
#2
Options
Re:Is there any way to prevent clients from changing the DNS servers on their side?
2024-05-08 13:46:33 - last edited 2024-05-08 13:49:08

  @MR.S 

Where should I configure the ACL?

Gateway, Switch, or EAP?

And what order should the ACLs be?

Block first, then allow.

Or allow first, then block?

  0  
  0  
#3
Options
Re:Is there any way to prevent clients from changing the DNS servers on their side?
2024-05-08 14:19:02

  @ceejaybassist 

 

router ACL, allow roule first then block to deny everything else.

 

  0  
  0  
#4
Options
Re:Is there any way to prevent clients from changing the DNS servers on their side?
2024-05-09 00:17:18

  @MR.S 

I tried this, but it is also blocking DoH and DoT in my uplink DNS in AGH.

  0  
  0  
#5
Options
Re:Is there any way to prevent clients from changing the DNS servers on their side?
2024-05-09 06:06:43

  @ceejaybassist 

 

You have to allow AGH. crate a LAN to WAN ACL before block roule and allow AGH 

  1  
  1  
#6
Options