Restrict DNS lookups to specified DNS servers

  • 1
  • Question
  • Updated 4 years ago
  • Answered
How can I use a firewall policy to restrict DNS lookups to specific DNS servers? I have done this before on my home firewall and works great, but I can't seem to get it working with the Aerohive firewall policy. I have defined a From-Access policy with 2 DNS servers defined with a permit action. The default action is deny, but if I manually set a different DNS server on the client, DNS lookups still work.
Photo of dreadirester

dreadirester

  • 8 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
can you post a screenshot of your firewall setup screen?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
You want to define a To-Access policy, allow UDP destination port 53 for both your trusted DNS servers, and then deny all traffic with UDP destination port 53.

Otherwise you are matching on the source IP address, which is your local subnet...
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Excuses, "From-Policy" was correct.

"From-access" policies apply to traffic from wireless or wired clients 
to the AP. "To-access" policies apply to traffic from the AP to wireless
 or wired clients

Thanks Eastman for clarifying this!
Photo of dreadirester

dreadirester

  • 8 Posts
  • 0 Reply Likes
For sure.  This is what I am using for my From-Access policy.
Photo of dreadirester

dreadirester

  • 8 Posts
  • 0 Reply Likes
I have tried using the same policy for both To and From Access, and I was still able to get DNS lookups from an alternate DNS server.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
you aren't blocking any DNS traffic to DNS servers outside the private network, you'd want to add any/any/service=DNS/deny after your two DNS Permits.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Typically in a firewall configuration you want to end with a deny all policy anyway.
Photo of dreadirester

dreadirester

  • 8 Posts
  • 0 Reply Likes
I tried putting a deny all policy at the end, and that didn't seem to do anything either.  I figured with the default action set to deny this would accomplish the same thing.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
It should... can you add a "any - any - DNS - deny" rule right after rule 8 and see what happens?

And I am curious... do your other deny rules work?
Photo of dreadirester

dreadirester

  • 8 Posts
  • 0 Reply Likes
I can add the rule, but it will take me a day or so to free up the time to get over to the site to test.  I didn't test the other rules.
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
Looking at your rules, 192.168.0.0/255.255.0.0 is currently allowed to access any network services (this will include DNS) .

Also like the rest have mentioned you need to insert any-any-DNS-deny rule after the allowed DNS rules.

Your default user profile's f/w rule should also be configured as deny all, otherwise network services or applications that do not match the rule will be allowed

Some explanation about the firewall direction:

"From-access" policies apply to traffic from wireless or wired clients to the AP.
"To-access" policies apply to traffic from the AP to wireless or wired clients

To control the traffic initiated by a client you will only need to assign the rule to "From-access"
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Yes, you are right, from-access would be correct in this case. Thanks for clarifying.
Photo of dreadirester

dreadirester

  • 8 Posts
  • 0 Reply Likes
Thanks.  I'll give this a test as soon as I can get back over to the site.