Meraki

MarkieLawrence · ‎Mar 24 2022

We have setup an SSID that uses Merak NAT mode using 10.x.x.x DHCP. We have setup a content filtering to use a custom DNS of our internal DNS servers to resolve.

We have setup L2 rules in Firewall & Traffic Shaping to allow this SSID clients access to these servers and local Win2012R2 DNS server on port 53 TCP & UDP

Most devices seem to work fine. However some Android devices seem to bypass this and go out to the Meraki DNS 10.254.254.254 and cannot resolve the internal server name.

We understand after some reading that some Android versions with particular secuity updates seem to force connection to encrypted DNS servers (Meraki) ahead of our local DNS server We have tried to block all ports and protocols to 10.128.128.128 but this does not seem to force to use the local DNS server. The IP address of our WiFi connected clients PDNS is still 10.128.128.128 rather than local

Any thoughts as to what we can do to force clients to local DNS servers?

Many thanks

Bruce · ‎Mar 24 2022

When you are running an SSID in NAT mode all the clients on the wireless side will be using a DNS server of 10.128.128.128. The AP just acts as a forwarder and forwards those requests to the custom DNS servers that you have defined if the hostnames are not already cached. See here https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/DNS_and_NAT_Mode.

What I suspect you are seeing is a browser (e.g. Firefox, Chrome) using DNS over HTTPS (DoH) to server IP addresses defined in Chrome - essentially bypassing the normal DNS mechanism, and your filtering solution. Have a Google of ‘Chrome DoH’ for some more information. Unfortunately this is a difficult one to prevent if it’s on devices you don’t manage.

Meraki

Community

Meraki Local DNS Android issues

Meraki Local DNS Android issues