Meraki

SimonT

Could anyone explain the correct setup so that Meraki can do DNS snooping for FQDN-based firewall rules with the following environment?

Windows network with Windows DHCP and DNS Servers.
Windows endpoints with Secure Client and Umbrella

Endpoints DNS points to Umbrella virtual appliances with local DNS pointing back to Windows DNS servers.
Active directory integrated with Umbrella.
MX84 Firewall

MX84 does not see DNS requests from endpoints so FQDN-based firewall rules fail. How should this be setup ? must keep Windows DHCP servers and local DNS going for Active Directory.

RaphaelL

Hi ,

DNS requests must be seen by the MX. So they can't be encrypted and can't be intra-vlan DNS requests.

DNS requests over Auto-VPN/NMVPN is fine.

DNS requests over Internet is fine.

DNS requests inter-vlan is fine.

SimonT

Thanks for the comment my understanding is from the endpoint to the Umbrella virtual appliances are not encrypted but from the virtual appliance they might be. But how would local DNS caching work as the MX wont see these DNS requests.

Brash

The clients will send unencrypted DNS requests to the Umbrella Virtual Appliance.

The Umbrella Virtual Appliance will then proxy requests for public domains upstream to the Umbrella cloud via an encrypted tunnel.

If the MX does not reside between the clients and the virtual appliance (where it can intercept the unencrypted lookups), it will not be able to intercept these DNS requests and therefore, you the FQDN based rules will fail.