Meraki MX Firewall with FQDN

SOLVED
Pugmiester
Building a reputation

Meraki MX Firewall with FQDN

Hi all,

 

Can someone help me wrap my head around this please?

 

We're looking to implement firewall rule that would permit traffic to specific destinations, while continuing to block everything else. The challenge is the destinations are cloud services so tend to contain many changing IP addresses.

 

Looking of the details in the document below, it suggests it's possible, but only if the MX sees the DNS request to match it up with the client connection.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

 

What's not clear is if that DNS request must come from the client itself, rather than from an onsite DNS server that the client is talking to.

 

Am I right in thinking this only works if the client machine is making the request to, for example Google DNS 8.8.8.8., so that the MX sees those requests and can match them directly back to the client IP then asking to get to sitexyz.com?

1 ACCEPTED SOLUTION

Accepted Solutions
UCcert
Kind of a big deal

Re: Meraki MX Firewall with FQDN

HI @Pugmiester 

 

I believe your understanding to be correct.  The MX must see the clients DNS request and the DNS servers response.

 

UCcert_0-1619519300305.png

 

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

View solution in original post

3 REPLIES 3
UCcert
Kind of a big deal

Re: Meraki MX Firewall with FQDN

HI @Pugmiester 

 

I believe your understanding to be correct.  The MX must see the clients DNS request and the DNS servers response.

 

UCcert_0-1619519300305.png

 

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

View solution in original post

Pugmiester
Building a reputation

Re: Meraki MX Firewall with FQDN

That's what I thought. I was kinda hoping I was wrong but, back to the drawing board.

PhilipDAth
Kind of a big deal

Re: Meraki MX Firewall with FQDN

>Looking of the details in the document below, it suggests it's possible, but only if the MX sees the DNS request to match it up with the client connection.

 

The DNS request can be either inter-vlan or go out to the Internet or out AutoVPN to another site.  The DNS request populates the DNS cache.  The FQDN firewall rule then uses this DNS cache.

Consequently, it does not matter who made that DNS request or which DNS server it was sent to.

 

You do need to be careful with short-lived DNS results or queries that always return a different result with a short TTL.  For example, from memory, Facebook uses a TTL with 60s.  So you can get a case where client "x" does a lookup.  Client "y" does a lookup a short time later but gets a different result.  The firewall rule ends up using only one of these results, so one client works and the other does not.

Something like that.  Explanation not exactly right.  But jist is.

 

On the whole, it works great with most cloud providers using rotating sets of IPs, but not all of them (only a small percentage that don't work well).

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.