Meraki

Community

Force all guests to use my DNS & prevent circumvention.

Solved
Area850
Conversationalist
‎Sep 8 2019 8:01 AM
‎Sep 8 2019 8:01 AM

Force all guests to use my DNS & prevent circumvention.

Can someone point me in the right direction for a Meraki guest wifi configuration.

 

I use a DNS Filter that prevents guests from reaching certain content.

 

I am pointing all traffic to my dns server. With today's technology especially in android phones it has become really easy to circumvent my dns policy by using a private dns such as google dns or quad9.

 

How do I redirect all dns traffic to flow to my dns server? if that is possible. If its not possible how do I block all DNS & DNS over https from other parties excluding my own?

 

The problem with blocking external dns traffic is it will break the internet for guests who choose to use private dns. My goal is to just redirect all dns traffic through my dns using cisco policy configuration? Can anyone assist me in a proper Meraki configuration to accomplish this?

 

Your assistance is greatly appreciated.

 

V/r

 

 

0 Kudos
1 Accepted Solution
Nash
Kind of a big deal
‎Sep 8 2019 11:04 AM
‎Sep 8 2019 11:04 AM

You can’t prevent people from changing their DNS settings, but you can deny access from the guest subnet to the common public DNS options over 53 and 443.

 

Would this break the internet for users w private DNS? Sure would. But to be honest, I’m not seeing another option for you here. Not if you’re depending on a DNS filter for this.

 

Do you have an MX with adv security license in your mix? I’m really not a fan of multiple sources of content filtering, but the MX’s content filter isn’t DNS based if I recall correctly.

Windows 10 Client VPN scripts: Makes life better!

View solution in original post

10 Replies 10
NolanHerring
Kind of a big deal
‎Sep 8 2019 10:34 AM
‎Sep 8 2019 10:34 AM

Slightly confused here

The fix is to block all DNS (port 53) outbound on your firewall, this should solve that. However you also state that you don't want to do this in case a guest wants to use a DNS server other than your own, which seems contradictory to what your original request is.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
Area850
Conversationalist
‎Sep 8 2019 1:10 PM
‎Sep 8 2019 1:10 PM

To better word this. My goal is to redirect all dns traffic vs blocking it.

0 Kudos
In response to Area850
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 8 2019 2:02 PM
‎Sep 8 2019 2:02 PM

>To better word this. My goal is to redirect all dns traffic vs blocking it.

 

You wont be able to do this with Meraki kit.

In response to Area850
Nash
Kind of a big deal
‎Sep 9 2019 6:04 AM
‎Sep 9 2019 6:04 AM

Like Phillip said, that's not a thing Meraki does. The MX content filter can provide non-DNS-based content filtering, but you're not going to be able to hijack people's DNS wholesale.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
Nash
Kind of a big deal
‎Sep 8 2019 11:04 AM
‎Sep 8 2019 11:04 AM

You can’t prevent people from changing their DNS settings, but you can deny access from the guest subnet to the common public DNS options over 53 and 443.

 

Would this break the internet for users w private DNS? Sure would. But to be honest, I’m not seeing another option for you here. Not if you’re depending on a DNS filter for this.

 

Do you have an MX with adv security license in your mix? I’m really not a fan of multiple sources of content filtering, but the MX’s content filter isn’t DNS based if I recall correctly.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
Area850
Conversationalist
‎Sep 12 2019 6:25 AM
‎Sep 12 2019 6:25 AM

Yep, turns out I will just invest in a advanced security license for the mx device. Thanks for the responses
0 Kudos
RaymondDoucette
Conversationalist
‎Sep 9 2019 10:31 AM
‎Sep 9 2019 10:31 AM

If there is budget, an Umbrella license can be added to a Meraki environment to handle DNS security.

 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mr_umbrella.pdf

 and 

https://umbrella.cisco.com/meraki

 

-R

 

0 Kudos
In response to RaymondDoucette
NolanHerring
Kind of a big deal
‎Sep 9 2019 10:38 AM
‎Sep 9 2019 10:38 AM

@RaymondDoucette wrote:

If there is budget, an Umbrella license can be added to a Meraki environment to handle DNS security.

 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mr_umbrella.pdf

 and 

https://umbrella.cisco.com/meraki

 

-R

 

From what I know that just 'gives' you the ability to use Cisco Umbrella directly tied into Meraki wireless. This wouldn't stop someone on the wireless from manually changing their DNS to something else and then Umbrella blocking that from working (or would it?).

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
Nash
Kind of a big deal
‎Sep 9 2019 10:56 AM
‎Sep 9 2019 10:56 AM

@NolanHerring wrote:
@RaymondDoucette wrote:

If there is budget, an Umbrella license can be added to a Meraki environment to handle DNS security.

 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mr_umbrella.pdf

 and 

https://umbrella.cisco.com/meraki

 

-R

 

From what I know that just 'gives' you the ability to use Cisco Umbrella directly tied into Meraki wireless. This wouldn't stop someone on the wireless from manually changing their DNS to something else and then Umbrella blocking that from working (or would it?).

I'd be surprised if impacted manually configured DNS. For example, I've got the Umbrella roaming client on my PC. I can manually change my DNS and poof, no more Umbrella policies in effect.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
RaymondDoucette
Conversationalist
‎Sep 9 2019 12:03 PM
‎Sep 9 2019 12:03 PM

MR implements Umbrella as a SSID-bound policy that forces all DNS traffic (except whitelisted domains) to the Umbrella cloud. It's more difficult to circumvent than client-based DNS settings.

 

There are also mechanisms to mitigate DNS over HTTPS and TLS based workarounds.

 

Umbrella integration with MX is also available.

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.