Blocking India also blocks access to 8.8.8.8 on the MX

Solved
Stormdude
Conversationalist

Blocking India also blocks access to 8.8.8.8 on the MX

Hello,

 

It appears that using a layer 7 firewall country rule to block India also blocks Google's anycast DNS address 8.8.8.8.  I believe you can create a group policy with a layer 3 rule to allow traffic to 8.8.8.8 prior to the layer 7 rule, but that seems like an administrative headache.

 

I have a few other firewall products that allow blocking various countries and I've never seen them block 8.8.8.8, but I've confirmed this behavior on two MX100's and on MX67.  Incidentally, 8.8.4.4 works just fine....  This seems like a bug to me.  Thoughts?

1 Accepted Solution
Stormdude
Conversationalist

I found a tech that is aware of the situation.  They are geolocating the IP using Maxmind (https://www.maxmind.com/en/geoip-demo?pkit_lang=en) and Maxmind is currently locating 8.8.8.8 in India.  Apparently Maxmind is aware of the issue and have informed Cisco they will be updating it next week.

 

Hopefully that saves someone some debugging...

View solution in original post

5 Replies 5
DarrenOC
Kind of a big deal
Kind of a big deal

Seems like an odd one!  We have numerous MX’s deployed all blocking such countries as India etc. Not one is blocking google DNS.

 

Why not switch the external DNS over to Cisco Umbrella:

 

  • 208.67. 222.222.
  • 208.67. 220.220.
Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Stormdude
Conversationalist

Meraki support confirmed this behavior does exist. You can ping 8.8.8.8 from an MX, but when the India filter is enabled, traffic from the LAN to 8.8.8.8 is dropped (I replicated it on 3 MX's running firmware 14.42 - deleting specifically "India" allows it to work).  Meraki support's explanation is that Google moved their 8.8.8.8 server to India recently and the solution is to unblock India.  Their assessment is incorrect since 8.8.8.8 is an "anycast" address that routes the traffic worldwide (https://developers.google.com/speed/public-dns/faq#locations).  In my case, the traffic remains in the United States, so including 8.8.8.8 in the India layer 7 rule set is a bug.  It's just as bad as blocking the Google homepage and claiming that it's in India, when it's hosted worldwide.

 

We do use DNS servers other than Google's, and we have used the OpenDNS/Umbrella servers before, but unfortunately we have 3rd party solutions on the LAN that use the 8.8.8.8 so we have to either unblock India or create a group policy that allows for a layer 3 "allow" rule to override the layer 7 country rule.

 

If you've tested your ability to pass traffic from your LAN to 8.8.8.8 with firmware 14.42 and the India layer 7 filter enabled, perhaps there is some kind of intermittent mechanism occurring?  According to support, it should be blocked...  

Stormdude
Conversationalist

I found a tech that is aware of the situation.  They are geolocating the IP using Maxmind (https://www.maxmind.com/en/geoip-demo?pkit_lang=en) and Maxmind is currently locating 8.8.8.8 in India.  Apparently Maxmind is aware of the issue and have informed Cisco they will be updating it next week.

 

Hopefully that saves someone some debugging...

Keval
Here to help

@Stormdude how can I integrate MaxMind GeoIP solution with cisco VMX ? can I? 

keval parsaniya
Stormdude
Conversationalist

@Keval Meraki uses MaxMind GeoIP as their source for geolocating IP addresses.  If you create a Layer 7 rule to deny access to certain countries, those countries will be identified by the Meraki MX using MaxMind's dataset.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels