Meraki

joopv · ‎Nov 30 2023

We have outbound access lists in MX's with hostnames (and also ip addresses / ranges).

We also have (android) clients that do DNS requests over TLS to google's DNS (8.8.8.8 over port 853).

Are these 2 compatible with eachother? Because i don't see how this can work - the MX has no way to know if a client is trying to access an allowed website.

Should we just block port 853 and force the client to choose normal dns?

Brash · ‎Nov 30 2023

The MX won't be able to read the DNS request, but it can still block IP flows to networks based on destination IP address/hostname.

If you want the MX to be able to read DNS requests and perform L7 firewall and content filtering based on DNS requests, block port 843 outbound and the devices should fail back to UDP 53.

joopv · ‎Dec 1 2023

Thanks,

I guess my real question is: will the MX keep its own table of dns hostnames <> ip addresses, does it update this by its own initiative or is it relying on / waiting for clients doing (readable) DNS requests?

Or, in other words: what (if anything) exactly "breaks" when clients start doing DNS over TLS?

RaphaelL · ‎Dec 1 2023

At the bareminimum your L3 FQDN rules will break. The MX won't be able to snoop these queries.

Brash · ‎Dec 1 2023

As stated by @RaphaelL L3 rules based on FQDN will break as they rely on snooping client DNS traffic.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support

L7 firewall rules and content filtering will work based on the destination IP of the client's traffic.l However you will lose L7 firewall rule enforcement based on client DNS lookup (where the MX blocks the actual DNS request due to an L7 firewall rule match)

Meraki

Community

clients that do secure DNS to google / cloudflare

clients that do secure DNS to google / cloudflare