Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

clients that do secure DNS to google / cloudflare

joopv
Getting noticed
‎Nov 30 2023 2:41 PM
‎Nov 30 2023 2:41 PM

clients that do secure DNS to google / cloudflare

We have outbound access lists in MX's with hostnames (and also ip addresses / ranges).

We also have (android) clients that do DNS requests over TLS to google's DNS (8.8.8.8 over port 853).

 

Are these 2 compatible with eachother?  Because i don't see how this can work - the MX has no way to know if a client is trying to access an allowed website.

Should we just block port 853 and force the client to choose normal dns?

0 Kudos
Subscribe
4 Replies 4
Brash
Kind of a big deal
Kind of a big deal
‎Nov 30 2023 3:01 PM
‎Nov 30 2023 3:01 PM

The MX won't be able to read the DNS request, but it can still block IP flows to networks based on destination IP address/hostname.

If you want the MX to be able to read DNS requests and perform L7 firewall and content filtering based on DNS requests, block port 843 outbound and the devices should fail back to UDP 53.

0 Kudos
Subscribe
joopv
Getting noticed
‎Dec 1 2023 1:59 AM
‎Dec 1 2023 1:59 AM

Thanks,

I guess my real question is: will the MX keep its own table of dns hostnames <> ip addresses, does it update this by its own initiative or is it relying on / waiting for clients doing (readable) DNS requests?

 

Or, in other words: what (if anything) exactly "breaks" when clients start doing DNS over TLS?

0 Kudos
Subscribe
In response to joopv
RaphaelL
Kind of a big deal
Kind of a big deal
‎Dec 1 2023 8:11 AM
‎Dec 1 2023 8:11 AM

At the bareminimum your L3 FQDN rules will break. The MX won't be able to snoop these queries.

0 Kudos
Subscribe
Brash
Kind of a big deal
Kind of a big deal
‎Dec 1 2023 12:44 PM
‎Dec 1 2023 12:44 PM

As stated by @RaphaelL L3 rules based on FQDN will break as they rely on snooping client DNS traffic.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support

 

L7 firewall rules and content filtering will work based on the destination IP of the client's traffic.l However you will lose L7 firewall rule enforcement based on client DNS lookup (where the MX blocks the actual DNS request due to an L7 firewall rule match)

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.