Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

block all internet DNS services except 3

Hello,

      We want our lan users to not be able to change their dns settings on their computers or browsers to use other dns services available on the web.  We want to only allow access to these two dns servers : 208.67.222.222 and 208.67.220.220 (these are opendns servers).

     How can we setup a firewall rule to block all dns services, except for if that service is reaching to A) the sophos firewall itself, or B) these 2 IP's 208.67.222.222 and 208.67.220.220



This thread was automatically locked due to age.
  • Chrome, edge, firefox, and win10 all now support DoH

    Chrome, edge, win10 – use DoH but keep your current dns

    Firefox – uses DoH and changes dns to cloudflare

     

    However, it appears DoH uses a URL to lookup dns.

     

    Therefore if you BLOCK proxy/anonymizer in opendns, then DoH will be blocked for all other dns providers except opendns!

     

    I tested this with chrome, edge, ff, and tried to get it to resolve using DoH/secure dns set to another server and it would not let me bypass opendns.  So that is good.

     

    This document does appear to be true:

     

    https://umbrella.cisco.com/blog/doh-whats-all-the-fuss-about-dns-over-https

    but, .. I don't know what would happen if the user 1st change to a wrong dns that as blocked, then tried to change browsers to use an alternate DoH site..  I will test that.

  • That's a completely different scenario from your post.

    By then, you should look at getting a list of those URL's being used for DoH & DoT, then create a URL Group and block them directly with a Web Filtering Policy.

    The Firewall will look at the SNI of those connection and block them through DPI; Or If your doing TLS Decryption, you can block those requests through MIME Type.

    More information can be found at: support.sophos.com/.../KB-000039056

  • I tested this and thankfully am not able to circumvent by manually choosing DoH in browsers.  DoH requires underlying dns to find the DoH url where lookups are at.  If you have those blocked in proxy at opendns, there is no easy way to use DoH.  So blocking all other dns except what you want and then also blocking proxy type connections in the ones allowed, does the trick

  • So you're not actually controlling user access with firewall rules that specify certain ports?

    Block DNS would be your top LAN to WAN firewall rule.

    In the XG DNS settings, you select the DNS server you wish to use.

    Ian


    e3-1225v5 - V18.5.x 6GB RAM, 4 USB ports, and a 20W power supply.
    3 AP55s and 2 APX120s are on vacation until a software update is available.
    Use the 'This helped me' link if a post answers your query.