diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2
index 3787b0d..997fca1 100644
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -570,6 +570,17 @@ config rule
 	option dest_port '21 10100-10110'
 	option target 'ACCEPT'
 
+## LAN Rules
+# Block DNS redirector
+{% for ip in ['1.1.1.1', '1.0.0.1'] %}
+config rule
+	option name 'Deny-OUTPUT-DNS-{{ ip }}'
+	option src 'lan'
+	option dest 'wan'
+	option dest_ip '{{ ip }}'
+	option target 'REJECT'
+{% endfor %}
+
 ## Default configuration
 config defaults
 	option syn_flood '1'