I'm attempting to force all hosts on my LAN to use a specific DNS server to filter certain material, however I'm running into problems.
I've had problems in the past trying to configure my router's DHCP to assign the desired DNS server to hosts because some users have simply learned to set their own DNS server (Google's 8.8.8.8, for example) on computer.
Currently, I have an ARP poisoning script to redirect all traffic from the gateway router to my machine. Meanwhile, I have a second python script listening for Port 53 traffic so I can intercept the DNS lookup packets, modify the destination IP from the original DNS server to the desired DNS server, then send them on towards the new DNS server.
Am I thinking about this the right way?
Is there an easier way to force users onto a certain DNS server?
It seems like I'm not even getting any traffic on my machine for port 53, even though the firewall for that port is open, so I don't even have the chance to view the DNS request packets when a user is trying to resolve a dns lookup, let alone modify the packet.
It's not as simple as setting up port rules on a router, because this may be implemented on LANS with routers that don't have very sophisticated firewall settings, and also I don't want to always force ALL hosts to use the specified DNS server — I want an option to whitelist certain devices.
I would really appreciate any feedback or help. Thanks!
Note: This was originally posted on the Security Stack Exchange, however it was recommended I ask here as well.
Best Answer
You wouldn't use ARP poisoning, simply create a rule(s) in the firewall for allowing traffic to the whitelisted DNS server(s), then a rule to deny DNS traffic.
The reason it won't work is as was answered in the comments by Zac67, ARP is only used on LANs. The DNS is on a public network.