Blocking DNS to other than Umbrella

Matt_P68
Comes here often

Blocking DNS to other than Umbrella

Trying to block all DNS queries to DNS Servers other than Umbrella.  Here are my rules, but I'm still able to change my DNS server and get to the internet. What needs corrected? TIA

 

outbound rules.png

 

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

Have you checked DNS over HTTPS?

https://www.currentware.com/blog/dns-over-https-how-to-stop-users-from-bypassing-your-web-filter/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

Like Alemabrahao said , it might not be on UDP/TCP port 53.  

 

You should run a packet capture. 

 

Do you have other rules below ? Like  allow any any ?

Matt_P68
Comes here often

these are the rule changes suggested by Umbrella: 

 

Essentially, add the following filter or rule to the firewall that is at the edge of the network:
  • ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53
  • BLOCK TCP/UDP IN/OUT all IP addresses on Port 53 

I have an Allow all rule at the end of the rule list, but these should take precedence, I believe.

BlakeRichardson
Kind of a big deal
Kind of a big deal

It could be DNS via HTTPS as mentioned already. Have you run a packet capture as @RaphaelL suggested?

 

DNS via HTTPS doesn't use port 53 it uses the conventional port of 443 so you need to know if it is this. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Matt_P68
Comes here often

i'll run packet capture, but all I've done is change my DNS server IP on my pc to 8.8.8.8 and it's bypassing umbrella.

ww
Kind of a big deal
Kind of a big deal

Most browsers  do not use port53 anymore for dns.

So you would need to use the content filter(is u have  adv sec license) to block category doh/dot

PhilipDAth
Kind of a big deal
Kind of a big deal

>i'll run packet capture, but all I've done is change my DNS server IP on my pc to 8.8.8.8 and it's bypassing umbrella.

 

That's because the browser is not using the DNS configured on your computer when it uses DNS over HTTPS.

 

If you have Active Directory or Intune you can create a group policy to disable DNS over HTTPS.

https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DnsOverHttpsMode 

You need a policy for each browser you allow in your environment.

 

If you have unmanaged machines then you can disable DNS over HTTPS on each machine individually inside of each browser supported.

 

You can also block it on your MX.  I think the category you need to block is "proxies and other anonimyzers".

CptnCrnch
Kind of a big deal
Kind of a big deal
Get notified when there are additional replies to this discussion.