I'm pretty sure this isn't a unique to me question. I am trying to enforce my clients to only use umbrella DNS. I've got all of my internal clients and DHCP scopes correctly configured, but I need to be able to block people from using manually configured external DNS servers.
The really short version of what I'm looking to do is create a firewall rule to only allow DNS queries to 208.67.222.222 and 208.67.220.220, and on all DNS ports (853 and 53).
I'm actually trying to figure out how to create a firewall rule going to a port group. I know how to make the block and allow rules, and I've got the object group made, but do I need to make two separate rules, one per port?
Solved! Go to solution.
That's basically all that's needed:
1. Allow both Anycast IPs und port 53 (UDP is enough, there's no need for your users to do Zone transfers)
2. Deny everything else to port 53 either UDP swell as TCP
3. In addition block port 853 TCP
4. Block the categories "Proxy / Anomymizer" and "DoH / DoT" within Umbrella.
Yes, you need to create a rule only allowing umbrella IPs on port 53 and another one denying Any Any for port 53.
Dont forget DOH port 443
You can basically only do in addition with the content filter to block doh/dot. And whitelist umbrella
I would do 2 rules. One for TCP , the other for UDP. ( As I expect you already have a deny any any at the bottom of your rulebase )
You can add more than 1 port per rule , but can't input port ranges and ports (eg: 20-50,80 )
That's basically all that's needed:
1. Allow both Anycast IPs und port 53 (UDP is enough, there's no need for your users to do Zone transfers)
2. Deny everything else to port 53 either UDP swell as TCP
3. In addition block port 853 TCP
4. Block the categories "Proxy / Anomymizer" and "DoH / DoT" within Umbrella.
TCP 53 isn't only used for zone transfers.
100% agree with you. 99.9999999% of the queries will be sourced as UDP