Meraki

Community

Restrict outbound DNS to only Umbrella on MX? Multiple destination ports on one rule?

Solved
GregTopf
New here
‎Jul 7 2023 5:45 AM
‎Jul 7 2023 5:45 AM

Restrict outbound DNS to only Umbrella on MX? Multiple destination ports on one rule?

I'm pretty sure this isn't a unique to me question.  I am trying to enforce my clients to only use umbrella DNS.  I've got all of my internal clients and DHCP scopes correctly configured, but I need to be able to block people from using manually configured external DNS servers.

 

The really short version of what I'm looking to do is create a firewall rule to only allow DNS queries to 208.67.222.222 and 208.67.220.220, and on all DNS ports (853 and 53).

 

I'm actually trying to figure out how to create a firewall rule going to a port group.  I know how to make the block and allow rules, and I've got the object group made, but do I need to make two separate rules, one per port?

0 Kudos
1 Accepted Solution
CptnCrnch
Kind of a big deal
‎Jul 7 2023 7:05 AM
‎Jul 7 2023 7:05 AM

https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-circumvention-of-Cisco-Umbrella-...

That's basically all that's needed:

1. Allow both Anycast IPs und port 53 (UDP is enough, there's no need for your users to do Zone transfers)

2. Deny everything else to port 53 either UDP swell as TCP

3. In addition block port 853 TCP

4. Block the categories "Proxy / Anomymizer" and "DoH / DoT" within Umbrella.

 

View solution in original post

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
‎Jul 7 2023 5:48 AM
‎Jul 7 2023 5:48 AM

Yes, you need to create a rule only allowing umbrella IPs on port 53 and another one denying Any Any for port 53.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Jul 7 2023 6:03 AM
‎Jul 7 2023 6:03 AM

Dont forget DOH port 443 

You can basically only do in addition with the content filter to block doh/dot.  And whitelist umbrella

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 7 2023 6:05 AM
‎Jul 7 2023 6:05 AM

I would do 2 rules. One for TCP , the other for UDP. ( As I expect you already have a deny any any at the bottom of your rulebase )

 

You can add more than 1 port per rule , but can't input port ranges and ports (eg: 20-50,80 )

0 Kudos
CptnCrnch
Kind of a big deal
‎Jul 7 2023 7:05 AM
‎Jul 7 2023 7:05 AM

https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-circumvention-of-Cisco-Umbrella-...

That's basically all that's needed:

1. Allow both Anycast IPs und port 53 (UDP is enough, there's no need for your users to do Zone transfers)

2. Deny everything else to port 53 either UDP swell as TCP

3. In addition block port 853 TCP

4. Block the categories "Proxy / Anomymizer" and "DoH / DoT" within Umbrella.

 

0 Kudos
In response to CptnCrnch
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 7 2023 7:11 AM
‎Jul 7 2023 7:11 AM

TCP 53 isn't only used for zone transfers.

0 Kudos
In response to RaphaelL
CptnCrnch
Kind of a big deal
‎Jul 7 2023 7:15 AM
‎Jul 7 2023 7:15 AM

Correct, but that's the most common use case: 😉

Most DNS [RFC1034] transactions take place over UDP [RFC768].  TCP
   [RFC793] is always used for full zone transfers (using AXFR) and is
   often used for messages whose sizes exceed the DNS protocol's
   original 512-byte limit.

https://www.rfc-editor.org/rfc/rfc7766 

In response to CptnCrnch
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 7 2023 7:16 AM
‎Jul 7 2023 7:16 AM

100% agree with you. 99.9999999% of the queries will be sourced as UDP

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.