Meraki

Community

Blocking DNS to other than Umbrella

Matt_P68
Comes here often
‎Oct 17 2023 9:53 AM
‎Oct 17 2023 9:53 AM

Blocking DNS to other than Umbrella

Trying to block all DNS queries to DNS Servers other than Umbrella.  Here are my rules, but I'm still able to change my DNS server and get to the internet. What needs corrected? TIA

 

outbound rules.png

 

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 10:09 AM
‎Oct 17 2023 10:09 AM

Have you checked DNS over HTTPS?

https://www.currentware.com/blog/dns-over-https-how-to-stop-users-from-bypassing-your-web-filter/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 10:19 AM
‎Oct 17 2023 10:19 AM

Like Alemabrahao said , it might not be on UDP/TCP port 53.  

 

You should run a packet capture. 

 

Do you have other rules below ? Like  allow any any ?

0 Kudos
In response to RaphaelL
Matt_P68
Comes here often
‎Oct 17 2023 12:05 PM
‎Oct 17 2023 12:05 PM

these are the rule changes suggested by Umbrella: 

 

Essentially, add the following filter or rule to the firewall that is at the edge of the network:
  • ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53
  • BLOCK TCP/UDP IN/OUT all IP addresses on Port 53 

I have an Allow all rule at the end of the rule list, but these should take precedence, I believe.

0 Kudos
In response to Matt_P68
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 12:51 PM
‎Oct 17 2023 12:51 PM

It could be DNS via HTTPS as mentioned already. Have you run a packet capture as @RaphaelL suggested?

 

DNS via HTTPS doesn't use port 53 it uses the conventional port of 443 so you need to know if it is this. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
Matt_P68
Comes here often
‎Oct 17 2023 1:00 PM
‎Oct 17 2023 1:00 PM

i'll run packet capture, but all I've done is change my DNS server IP on my pc to 8.8.8.8 and it's bypassing umbrella.

0 Kudos
In response to Matt_P68
ww
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 1:33 PM
‎Oct 17 2023 1:33 PM

Most browsers  do not use port53 anymore for dns.

So you would need to use the content filter(is u have  adv sec license) to block category doh/dot

0 Kudos
In response to Matt_P68
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 1:37 PM
‎Oct 17 2023 1:37 PM

>i'll run packet capture, but all I've done is change my DNS server IP on my pc to 8.8.8.8 and it's bypassing umbrella.

 

That's because the browser is not using the DNS configured on your computer when it uses DNS over HTTPS.

 

If you have Active Directory or Intune you can create a group policy to disable DNS over HTTPS.

https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DnsOverHttpsMode 

You need a policy for each browser you allow in your environment.

 

If you have unmanaged machines then you can disable DNS over HTTPS on each machine individually inside of each browser supported.

 

You can also block it on your MX.  I think the category you need to block is "proxies and other anonimyzers".

0 Kudos
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Oct 18 2023 2:05 AM
‎Oct 18 2023 2:05 AM

Take a look at https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-circumvention-of-Cisco-Umbrella-...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.