Force all guests to use my DNS & prevent circumvention.

Solved
Area850
Conversationalist

Force all guests to use my DNS & prevent circumvention.

Can someone point me in the right direction for a Meraki guest wifi configuration.

 

I use a DNS Filter that prevents guests from reaching certain content.

 

I am pointing all traffic to my dns server. With today's technology especially in android phones it has become really easy to circumvent my dns policy by using a private dns such as google dns or quad9.

 

How do I redirect all dns traffic to flow to my dns server? if that is possible. If its not possible how do I block all DNS & DNS over https from other parties excluding my own?

 

The problem with blocking external dns traffic is it will break the internet for guests who choose to use private dns. My goal is to just redirect all dns traffic through my dns using cisco policy configuration? Can anyone assist me in a proper Meraki configuration to accomplish this?

 

Your assistance is greatly appreciated.

 

V/r

 

 

1 Accepted Solution
Nash
Kind of a big deal

You can’t prevent people from changing their DNS settings, but you can deny access from the guest subnet to the common public DNS options over 53 and 443.

 

Would this break the internet for users w private DNS? Sure would. But to be honest, I’m not seeing another option for you here. Not if you’re depending on a DNS filter for this.

 

Do you have an MX with adv security license in your mix? I’m really not a fan of multiple sources of content filtering, but the MX’s content filter isn’t DNS based if I recall correctly.

View solution in original post

10 Replies 10
NolanHerring
Kind of a big deal

Slightly confused here

The fix is to block all DNS (port 53) outbound on your firewall, this should solve that. However you also state that you don't want to do this in case a guest wants to use a DNS server other than your own, which seems contradictory to what your original request is.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Area850
Conversationalist

To better word this. My goal is to redirect all dns traffic vs blocking it.

PhilipDAth
Kind of a big deal
Kind of a big deal

>To better word this. My goal is to redirect all dns traffic vs blocking it.

 

You wont be able to do this with Meraki kit.

Nash
Kind of a big deal

Like Phillip said, that's not a thing Meraki does. The MX content filter can provide non-DNS-based content filtering, but you're not going to be able to hijack people's DNS wholesale.

Nash
Kind of a big deal

You can’t prevent people from changing their DNS settings, but you can deny access from the guest subnet to the common public DNS options over 53 and 443.

 

Would this break the internet for users w private DNS? Sure would. But to be honest, I’m not seeing another option for you here. Not if you’re depending on a DNS filter for this.

 

Do you have an MX with adv security license in your mix? I’m really not a fan of multiple sources of content filtering, but the MX’s content filter isn’t DNS based if I recall correctly.

Area850
Conversationalist

Yep, turns out I will just invest in a advanced security license for the mx device. Thanks for the responses
RaymondDoucette
Conversationalist

If there is budget, an Umbrella license can be added to a Meraki environment to handle DNS security.

 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mr_umbrella.pdf

 and 

https://umbrella.cisco.com/meraki

 

-R

 

NolanHerring
Kind of a big deal


@RaymondDoucette wrote:

If there is budget, an Umbrella license can be added to a Meraki environment to handle DNS security.

 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mr_umbrella.pdf

 and 

https://umbrella.cisco.com/meraki

 

-R

 


From what I know that just 'gives' you the ability to use Cisco Umbrella directly tied into Meraki wireless. This wouldn't stop someone on the wireless from manually changing their DNS to something else and then Umbrella blocking that from working (or would it?).

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Nash
Kind of a big deal


@NolanHerring wrote:

@RaymondDoucette wrote:

If there is budget, an Umbrella license can be added to a Meraki environment to handle DNS security.

 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mr_umbrella.pdf

 and 

https://umbrella.cisco.com/meraki

 

-R

 


From what I know that just 'gives' you the ability to use Cisco Umbrella directly tied into Meraki wireless. This wouldn't stop someone on the wireless from manually changing their DNS to something else and then Umbrella blocking that from working (or would it?).


I'd be surprised if impacted manually configured DNS. For example, I've got the Umbrella roaming client on my PC. I can manually change my DNS and poof, no more Umbrella policies in effect.

RaymondDoucette
Conversationalist

MR implements Umbrella as a SSID-bound policy that forces all DNS traffic (except whitelisted domains) to the Umbrella cloud. It's more difficult to circumvent than client-based DNS settings.

 

There are also mechanisms to mitigate DNS over HTTPS and TLS based workarounds.

 

Umbrella integration with MX is also available.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels