Meraki

Community

OpenDNS with dhcp on MX WAN uplink

khowanitz
Here to help
‎Aug 6 2018 11:00 AM
‎Aug 6 2018 11:00 AM

OpenDNS with dhcp on MX WAN uplink

Our uplink is DHCP. I would like to override the dns settings for the WAN port and instead use OpenDNS servers. (I don't particularly like or trust the ISP's dns servers)  It looks like I can only specify the dns servers for the MX65 WAN uplink if I purchase a static IP assignment?

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 6 2018 12:45 PM
‎Aug 6 2018 12:45 PM

You can just change the DNS servers used on the DHCP configuration of your MX (which is given to the clients) rather than the MX itself.

0 Kudos
In response to PhilipDAth
khowanitz
Here to help
‎Aug 6 2018 12:48 PM
‎Aug 6 2018 12:48 PM

I have already done that, but I don't want the MX to use dns results from dns servers I don't trust.

0 Kudos
In response to khowanitz
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 6 2018 12:55 PM
‎Aug 6 2018 12:55 PM

On the MX side, I don't think you can statically configure DNS servers which at the same time having DHCP enabled.

In response to PhilipDAth
khowanitz
Here to help
‎Aug 6 2018 1:03 PM
‎Aug 6 2018 1:03 PM

Thanks, I made it a wishlist.

In response to khowanitz
Adam
Kind of a big deal
‎Aug 6 2018 1:11 PM
‎Aug 6 2018 1:11 PM

We have a similar setup but don't need to change the DNS on the WAN port.  We just make sure their DHCP goes to either OpenDNS or our local DNS server and it has forwarders setup to OpenDNS.  Even if you could change the WAN DNS it wouldn't stop someone from statically setting their computers DNS to a public DNS.  The only way to prevent that is to block all DNS queries via firewall to anything except OpenDNS.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
In response to Adam
khowanitz
Here to help
‎Aug 6 2018 1:19 PM
‎Aug 6 2018 1:19 PM

That is exactly one of my actions, block egress udp & tcp port 53 to limit exposure to things like:

 

https://blog.talosintelligence.com/2017/03/dnsmessenger.html

 

For small branch offices, it would be nice to additionally use the mx as a dns proxy, but that only works if uses dns servers I trust.

0 Kudos
In response to khowanitz
Adam
Kind of a big deal
‎Aug 6 2018 1:34 PM
‎Aug 6 2018 1:34 PM

Makes sense, can you order a static IP for your WAN connection?  Not a huge deal but I see your dilemma of not being able to just set static DNS on the WAN port.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.