Ubiquiti EdgeRouter DNS Security & Content Filtering – Block Ransomware, Botnets, Phishing and Inappropriate Content

By |Last updated on |Home Networking, Technology|16 Comments

This tutorial explains how to lock down the EdgeRouter DNS configuration and force all LAN client requests to a DNS security & content filtering service to block ransomware, malware, botnets, phishing domains and enforce content filters for inappropriate websites.

DNS Security & Content Filtering Benefits

DNS is used by ransomware, exploit kits and botnets to find the IP address of the Command & Control (C&C or C2) servers to receive instructions and upload stolen data. Phishing uses DNS to resolve the IP address of a look-alike website to steal your login credentials. Content filtering blocks web sites that may be inappropriate for school, work or might be illegal such as adult content, gambling, piracy, etc.

Most users don’t realize their home router automatically obtains the DNS servers from their Internet Service Provider (ISP) which only provides basic DNS security in the spirit of an open Internet. Savvy users may manually configure the router to use Google or OpenDNS which do a good job blocking malicious sites and/or provide content filtering.

Enterprise DNS services – meaning a paid subscription is required – are focused on the business market and provide more security, finer control, analytics, notifications and reporting. Notifications are valuable Indicators of Compromise because it can tell you which device in your network – including the MAC address – is at risk so you can take corrective actions. Examples of enterprise DNS security services in alphabetical order are:

A review of personal and enterprise DNS services is outside the scope of this article.

Project series index:

Ubiquiti EdgeRouter DNS Security & Content Filtering – Block Ransomware, Botnets, Phishing and Inappropriate Content

The following EdgeRouter DNS configuration lock down is applicable to any DNS service; just specify the DNS server IP addresses of your choice.

The EdgeRouter Lite is configured as the DNS and DHCP server for my Small Office/Home Office (SOHO) network. Well behaved LAN clients are automatically configured via DHCP with the EdgeRouter DNS IP address of

Ubiquiti EdgeRouter Lite Network Diagram

Ubiquiti EdgeRouter Lite Network Diagram

EdgeRouter DNS Destination NAT (DNAT) Rule

A LAN to WAN Destination NAT (DNAT) rule is configured to rewrite any rogue DNS queries to my preferred DNS server IP addresses, represented by aaa.bbb.ccc.ddd and eee.fff.ggg.hhh:

Ubiquiti EdgeRouter DNS Security and Content Filtering Configuration Diagram

Ubiquiti EdgeRouter DNS Security and Content Filtering Configuration Diagram

Suppose a LAN client is infected with malware or the user hard coded something other than my preferred DNS servers. The EdgeRouter DNAT rule will translate the rogue DNS server IP address to the EdgeRouter IP The EdgeRouter then forwards the DNS query to the preferred DNS servers at aaa.bbb.ccc.ddd or eee.fff.ggg.hhh.

The DNS DNAT rule CLI commands are:

set service nat rule 10 description 'Policy DNAT: Force LAN DNS Requests to Router'
set service nat rule 10 inbound-interface eth1
set service nat rule 10 destination address !
set service nat rule 10 destination port 53
set service nat rule 10 inside-address address
set service nat rule 10 protocol tcp_udp
set service nat rule 10 type destination
set service nat rule 10 log enable

and in pretty print mode:

ubnt@ubnt# show service nat rule 10
 rule 10 {
     description "Policy DNAT: Force LAN DNS Requests to Router"
     destination {
         address !
         port 53
     inbound-interface eth1
     inside-address {
     log enable
     protocol tcp_udp
     type destination

The DNAT rule operates as follows:

  • Eth1 is the LAN interface.
  • Match inbound traffic to port 53 (DNS) that is not destined for the EdgeRouter via the ! (not) operator: !
  • inside-address translates the source IP address to the router IP
  • Enable logging so I can investigate rogue devices by checking /var/log/messages.
    Use “log disable” if you don’t want logging.
  • DNS uses TCP and UDP protocols, so match both.

Change the NAT Rule # to something that doesn’t conflict with your existing rules and the router IP address to match yours.

Additional EdgeRouter DNS and DCHP Configuration Requirements

The following dependencies may already be implemented in your basic router configuration and included here for completeness.

The EdgeRouter Internet DNS name servers configuration commands are:

set system name-server aaa.bbb.ccc.ddd  <-- put the real DNS server IP here
set system name-server eee.fff.ggg.hhh  <-- put the real DNS server IP here

Repeat the above command if you have additional DNS server IPs.

The “no-update” command is needed to prevent the EdgeRouter from adding my ISPs DNS servers to the list:

set interfaces ethernet eth0 dhcp-options name-server no-update

The EdgeRouter must forward DNS queries from the LAN to the WAN otherwise the client queries will fail:

set service dns forwarding listen-on eth1

If Eth2 is serving another LAN network configuring forward for it, too.

I have six VLANs so forwarding must be configured for those. Change the following interfaces to match yours. Skip these commands if you don’t have VLANs:

set service dns forwarding listen-on eth1.10
set service dns forwarding listen-on eth1.20
set service dns forwarding listen-on eth1.30
set service dns forwarding listen-on eth1.40
set service dns forwarding listen-on eth1.50
set service dns forwarding listen-on eth1.60

Destination NAT (DNAT) Rule Testing

I hard coded my Windows PC to use Google DNS servers to simulate a rogue client then opened a web browser and surfed the web while monitoring the NAT translations from the EdgeRouter CLI. Google DNS ( and queries are remapped to the EdgeRouter IP at

ubnt@ubnt:~$ show nat translations destination monitor
Type control-C to quit
Pre-NAT   Post-NAT    Type   Prot   Timeout   Type   dnat   udp    30        new   dnat   udp    30        update   dnat   udp    30        new   dnat   udp    30        update   dnat   udp    30        new   dnat   udp    30        update   dnat   udp    30        new   dnat   udp    30        new   dnat   udp    30        update   dnat   udp    30        update   dnat   udp              destroy   dnat   udp              destroy   dnat   udp              destroy

Checking the log shows the DNAT rule firing and the MAC address of the offending client:

ubnt@ubnt:~$ tail -n 100 /var/log/messages
[NAT-10-DNAT] IN=eth1 OUT= MAC=dc:**:**:........:**:00 SRC= DST= LEN=69 TOS=0x00 PREC=0x00 TTL=128 ID=23998 PROTO=UDP SPT=58437 DPT=53 LEN=49
[NAT-10-DNAT] IN=eth1 OUT= MAC=dc:**:**:........:**:00 SRC= DST= LEN=66 TOS=0x00 PREC=0x00 TTL=128 ID=20109 PROTO=UDP SPT=49378 DPT=53 LEN=46

Summary statistics show the DNAT Rule 10 was triggered 318 times:

ubnt@ubnt:~$ show nat statistics
rule  count      type  IN        OUT       description
----  ---------- ----  --------  --------  -----------
10    318        DST   eth1      -         Policy DNAT: Force LAN DNS Requests to Router
5010  190607     MASQ  -         eth0      masquerade for WAN

Dnsmasq: add-mac option

Enterprise DNS security services can optionally track and report the device MAC address that made a DNS query. That way the service can report the which device may be infected with ransomware, malware or attempted to reach a blocked URL. DNS security services provide an admin configuration page where you can enter known MAC addresses with user-friendly names like “Ubuntu Server 10” or “Bob’s iPhone”.

dnsmasq is a standard component of the EdgeRouter environment and the daemon is already running. The dnsmasq “add-mac” configuration option to “Add requestor’s MAC address to forwarded DNS queries” will include the LAN device MAC address in the query.

As of this writing I’m running the latest firmware v1.9.1.1 on my EdgeRouter Lite which includes dnsmasq v2.76:

ubnt@ubnt:~$ /usr/sbin/dnsmasq -v
Dnsmasq version 2.76-1-ubnt2 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

To view the dnsmasq config file:

ubnt@ubnt:~$ cat /etc/dnsmasq.conf
# autogenerated by vyatta-dns-forwarding.pl on Mon Jun 19 21:00:40 EDT 2017

Because the dnsmasq.conf file is regenerated (overwritten) when DNS changes are made or firmware is upgraded you shouldn’t edit the dnsmasq.conf file. The best way to configure the “add-mac” option is via the EdgeRouter CLI in configuration mode:

set service dns forwarding options add-mac=text

Because the “add-mac” option is now part of the router config it will survive DNS changes & firmware upgrades:

ubnt@ubnt:~$ cat /etc/dnsmasq.conf
# autogenerated by vyatta-dns-forwarding.pl on Fri Jun 23 13:06:09 EDT 2017

The offending LAN device MAC address now appears in the DNS security service notifications and reports.

DNS Lock Down Circumvention

Locking down the router DNS configuration as shown here will stop most but not all attempts to get around DNS security firewalls and content filtering. A user might evade the EdgeRouter DNS DNAT rule with an encrypted VPN tunnel, an app using a DNS over HTTPS API or DNScrypt all of which use port 443 instead of port 53. See Definitive Guide to Content Filtering Circumvention: And Lessons Learned in Prevention for more information.

Also see EdgeRouter Lite SOHO Network Firewall Rules for hardening and Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial for secure remote access.

A follow-up to this tutorial is: Ubiquiti EdgeRouter: How to Enforce Different DNS Servers per VLAN.

Thanks for reading,


Copyright © 2018 HandymanHowTo.com   Reproduction strictly prohibited.


  1. CDr Scowl December 1, 2017 at 12:36 am - Reply

    Hello Bob

    I use a PiHole for ad blocking on my networks. https://pi-hole.net I run it in a VM rather than on a Raspberry Pi. I can confirm it runs very well on the original Raspberry Pi Model B. I just put it in a VM to reduce network device complexity.

    I use your setup above to force DNS queries to my Pi-Hole.

    Thanks again for the excellent instructions!

  2. CDR Scowl December 29, 2017 at 4:14 pm - Reply

    Hi Bob

    Apologies for the late reply. Of course your site is white listed.

    Have you seen this post on the Ubiquiti site?:


  3. cdr Scowl January 4, 2018 at 12:40 pm - Reply

    I saw that implementation, and it looked “older” or less supported. I will use it given the fact you are using it – you certainly know what you are doing. I can follow the scripts he has made and see what is happening.

    Thanks again for your latest config. When I read through it, something comes to mind:

    “Ha ha, the Ukraine. Do you know what the Ukraine is? It’s a sitting duck. A road apple. The Ukraine is weak. It’s feeble. I think it’s time to put the hurt on the Ukraine.”

    Seriously though, I have implemented a modified version of your config. Your blog has been indispensable in setting up my Edgerouter. I had everything set up with some more firewall rules numbered by Tens. Then I enabled eth2 and added more, so now I have to go back and renumber my firewall rules before adding WaterByWind’s implementation. Poor planning on my part.

    I agree with your take on ads and blocking. Some block lists prevent the display of reviews on Amazon, Costco, etc..

    I don’t use uBlock, but I will take a look. I use IoT devices that don’t use those browsers, and ads can cause issues.

    Agreed. I use Norton’s free Connect Safe DNS: Preferred DNS: Alternate DNS: along with DNSSEC.
    Nothing like what you use, but it is something. And as you say adding more layers is better.

    I don’t know what I am missing, but I can’t seem to find a link to see the pricing for Nomium N2 Consumer. I will have to contact them.

    I read the Kaspersky blog daily https://threatpost.com and I will add the last link to my breakfast read.

    • Bob Jackson January 6, 2018 at 10:57 am - Reply

      RE: Ukraine – I feel the same way but I use a BluRay service gets updates from an off-shore server.

      Nominum only sells to ISPs. Norton’s Connect Safe should be sufficient.

      Additional breakfast read recommendations:
      * Cisco Talos: https://blog.talosintelligence.com/
      * Krebs on Security: https://krebsonsecurity.com/
      * Fortinet Blog: https://blog.fortinet.com/
      * MalwareBytes Blog: https://blog.malwarebytes.com/
      * The Register: https://www.theregister.co.uk/


      • cdr Scowl January 11, 2018 at 2:32 pm - Reply

        Thanks Bob

        I’m sure you are busy. I appreciate your site and you taking the time to respond and provide help / guidance.

        I used WaterByWind’s setup. It seems to work very well by reviewing the logs. There sure are a lot of people hammering at the router.

        I appreciate the links for reading. I use Malwarebytes on my Windows boxes.

        Re – The Ukraine – I quoted Seinfeld when Kramer and Newman were on a bus playing Risk. Kramer said that to Newman and a Ukrainian smashed their board.

  4. Nicolas March 4, 2018 at 9:13 am - Reply

    Hello, thanks for this tutorial!
    I wish to have 2 vlan on the edgerouter x switch (vlan 1 for local users and vlan 10 for guests). I wish to set and force quad 9 dns for the switch 0.1 and dnsfilter dns for the switch 0.10. I will add dns setting in the vlan switch respective dhcp server. My wan port will be eth0 behind my isp router. My question is, which of the dns setting should i add to the system nameserver? Or should i just set the system, name server to for the edgerouter to listen to himself?

    • Bob Jackson March 5, 2018 at 7:23 pm - Reply

      Configuring unique DNS resolvers per VLAN is easy enough in the GUI via Services -> [select a VLAN] -> Actions -> View Details and input the public DNS resolver IP addresses for Quad9 or DNSFilter.

      Configuring a DNAT rule per VLAN ID or something similar to force rogue client queries to the DNS firewall IP address will require more research. The challenge is the DNAT rule command supports address ranges but not non-sequential IPs. Something like an address-group is needed.

      I’ll get back to you this weekend after I’ve verified a solution on my EdgeRouter.

  5. sandy September 5, 2018 at 11:02 pm - Reply

    What software tool did you use to create the first diagram shown?

    • Bob Jackson September 6, 2018 at 6:18 pm - Reply

      Microsoft Visio. See the project intro and search for references to Visio in the article and reader comments.

      • sandy September 7, 2018 at 11:05 am - Reply

        Thanks so much! I hadn’t seen the intro, this is a great help to me.

Leave A Comment