Redirect all DNS requests to local server

Welcome to the forums. One way to do it (very brute force, but it should work) would be to create virtual IPs for those external DNS servers, and point then to your DNS servers. You know 8.8.8.8 and 8.8.4.4 are Google servers. A VIP policy would take that traffic and send it to your DNS server without them knowing. The only issue here is that you would have to do this with every public DNS server out there. (at least the common ones) Not ideal, but doable. This is my first thought without thinking too deeply. There' s more than likely a couple other ways to get this done as well.

And simpler can' t you just creat a fwpolicy that block DNS request to anything except your local server(s). config firewall policy edit 0 set srcintf " LAN" set dstintf " EXT_NET01" set srcadd " LAN" set dstadd " ANY" set service " DNS" set comments " block deny servers outside of network" next end and make sure to install this at the top of your pecking order and if you need another fwpolicies to allow the lan to another interface, make sure you add that. This would prevent them outside and make them have to use your dhcp-provided servers.

I had to actually set something up like this as a temp solution at one of the remote sites we manage. It seems the customer' s ISP was experiencing DNS issues, and because the site' s 200+ workstations were configured with static IP settings, we had to " hard-code" a temp solution into their fgt. As Robert indicated we set up a VIP with a Source Address Filter that pretty much redirected all port 53 traffic to another IP. (I believe/recall the Fortigate handbook gave something similar -- used in a VPN setup -- with a web server --- redirecting internal port 8080 traffic to port 80 in a DMZ zone.)

Mind you this was like 18 months ago, but when I did the DNS hack for the customer, their IT admin didn' t report any issues except that their Windows 7-based machines reported their connection down but they could still surf. Looking back now-- I am guessing those machines couldn' t reach www.msftncsi.com

imho If you use the VIP approach, you have no way of catching all DNS servers. Make then break DNS lookups and then fix them by having the users use the local-dhcp-server-assigned nameservers. Most proper setup DNS server, will only allow recursive lookup from a trusted network source unless that DNS is open ( i.e our googles dns-server ) Trying to apply a band-aid on top of another band-aid, is not a good approach or best practice. If they are dynamic assigned for ip_addr and name/win server & for a reason, then enforce them to use dynamic assignments.

My sentiments as well. I [would] block all DNS servers except those used by the institution.

I heartily agree. The example I have used was only a temp solution, and was in place for a few hours until the ISP got their act together and fixed their DNS. (Which they didn' t and the long term solution was to install a local DNS server and directed their DNS quires to my company' s own DNS server.) Another good point about locking down DNS is that it prevents individuals from proxying web traffic and/or other non-DNS traffic through that port -- something we have discovered at some of our remote site, were doing.

To put it in simple terms: your LAN - your rules. A DHCP network offers dynamic assignment of the gateway and the DNS both of which are essential. Your users are not debating over the gateway setting, are they? Same applies to the DNS. At home they would have no problems at all leaving the dynamic DNS assignment in place, if set up is correctly. DNS to external servers must be blocked. Tunneling over DNS is a reality, and IMHO in the context of exams it' s something you have to suppress. So you close 2 gaps with one setting.

First of all, thank you for all your suggestions. Fantastic to see some enthusiastic people :) I think i' ll try rwpattersons solutions with virtual IPs. I know it isn' t perfect, but i can begin with Google and OpenDNS' s servers and then see how many others i have to add. Emnoc > I have already blocked all internet connection for the students on the special Exam network. It is only possible to reach my internal print-solution and an online dictionary for which have a static a-record in my DNS and a corresponding opening in the Fortigate firewall. Therefore all the student' s own static DNS' s is blocked by the firewall. As ede_pfau wrote DNS-tunneling is possible if the DNS-port is open and I of course want to prevent that. Many students have those static DNS' s from Google and OpenDNS because the ISPs here in Denmark is forced to block certain pages, such as The Pirate Bay, in their DNS-servers. Regards Anders