Restricting DNS Firewall Rules and Management Traffic

passta
Just browsing

Restricting DNS Firewall Rules and Management Traffic

Hello.  I am trying to accomplish the following:

 

Here is my setup

MX100

MS390 all networks are L3 on the 390.

4 MR45 AP's off the 390.

 

I'm trying to use the MX outbound firewall to block DNS unless it is specifically pointed at the internal DNS.  I created 4 outbound rules in order from 1st to last, 2 rules to allow DNS UDP/TCP out from my internal DNS servers, and 2 rules to block all TCP/UDP DNS from any to any, last rule is allow all.    

 

This seems to be working fine, I can test when the rules are enabled, that I am only able to resolve DNS from our internal servers as desired.   What is weird, is the summary pages for my MS and MR's, are all saying that DNS is not configured correctly shortly after I enable the rules.    These devices are all getting Management IP's via DHCP, and the Management VLAN DHCP Server on the MS is configured with our internal DNS servers.  I can see the right DNS IP's are being picked up on the summary page for each AP and the MS390.  Not sure what is up, if its something with the FW rules all on the MX and I am doing all L3 at the MS390?

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

I would allow the management subnet (or ip from the meraki ap/switch) to access any any.  Meraki does some health checks, dns lookups, reverse dns lookups, some kind of ping on port 53 to 8.8.8.8

passta
Just browsing

I tried that, and it did fix the DNS errors on all of the AP's, but the switch is still showing DNS as misconfigured.   I'm wondering if it's just an issue with the switch or something, because I have tried completely disabling the rules I put in place and the switch always reports DNS misconfiguration.   Even after a reboot.    

DarrenOC
Kind of a big deal
Kind of a big deal

What DNS is your MX using? I try and get our customers to place their Meraki devices in a separate mgmt VLAN and then point their DNS to Cisco Umbrella.  I don’t like relying on their internal DNS. We then know exactly what to open on the firewall and takes reliance off their internal infrastructure.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
passta
Just browsing

MX is using basically my ISP DNS.  MX is behind my ATT Gateway in Bridge mode.   

Bruce
Kind of a big deal

@passta, is your management VLAN being issued IP addresses from the DHCP server on the MS390 stack, and is the the MS390 switch stack receiving its IP address from itself? If so, this might be causing the DNS mis-configuration error. There is this caveat regarding management IP addresses and Layer 3 addresses, “The management interface for a switch (stack) performing L3 routing cannot have a configured gateway of one of its own L3 interfaces”. You might need to reconfigure your network so the management VLAN has its Layer 3 interface on the MX.

 

Reference: https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing, Layer 3 Interface Caveats

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels