DNS not being applied through Traffic Shaping

keeshii
Comes here often

DNS not being applied through Traffic Shaping

Recently, we've upgraded to Meraki MR46 Access points.  With it, one of our SSIDs was configured for staff to user their username/password combinations to connect to the network via a RADIUS server.  However, we also want to limit what these users can see/access for servers on the network.  They only need to see our print server and our internal website.  

 

So we enabled Layer 3 firewall rules to allow access to these two server and then set the rest of the local LAN to be blocked.  Despite the allows, staff cannot access the pages via FQDN, only by IP address.  We added the DHCP and DNS servers to the allow list, but continue to get hit with DNS not working while the layer 3 firewall rules are in effect.  I can see that DHCP is assigning DNS servers along with the IP address, but DNS is still failing to allow access to internal content.  (for example: the internal website is located at 192.168.1.42/24.  It can be pinged by IP address, but when users visit http://universe.everything.local, they get a name not resolved error).  

 

The firewall rules don't have an option for FQDNs, only IPs.  I have tried changing layer 2 isolation off and back on without any change in behavior.  The only thing that seems to work while on DHCP is to allow all local LAN access, which we are trying to avoid.  If we us static assignment, it seems to work.  

9 Replies 9
ww
Kind of a big deal
Kind of a big deal

Could you try with this rule

Allow any any    port 53

keeshii
Comes here often

keeshii_0-1695741453447.png

Once I set the protocol to Any, setting a port becomes greyed out.  Both our DNS and DHCP additions are also set the same way with protocol and port showing "Any"
I added "Allow TCP Any 53" and "Allow UDP Any 53" to see if that makes a difference.  Unfortunately, it did not.

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you block rules after the allow rules in the screenshot?

keeshii
Comes here often

Correct.  All the allows are set first, leaving the only block being for the local LAN for wireless clients.  

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you using any DNS services like Umbrella?

keeshii
Comes here often

Only our internal DNS server run through Windows.  

PhilipDAth
Kind of a big deal
Kind of a big deal

Does a manual nslookup work?

keeshii
Comes here often

I've been mainly testing with Android since that is the majority of our user base's devices.  Using PingTools, i get 0 records received out of 38 queries.  

keeshii
Comes here often

I setup a new Windows machine to test and it works on Windows.  If I can get my hands on a macOS or iOS to test, I will try them, but for now, it seems to be isolated to Android devices.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels