Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 6408 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule to force users to use OpenDNS

ScottG
I heard a good tip recently where you can setup a packet filter rule that only allows UDP port 53 to connect to OpenDNS  servers.  A smart user could go into the network TCP/IP properties on their PC and bypass the DNS settings in ASG.  The rule above would prevent their computer from connecting to any non-OpenDNS IP.  I wanted to test this on my machine, so I looked at my firewall rules and didn't find anything that allowed port 53 in the first place, so it seemed to me I don't need a new rule.  I assumed that in my configuration the ASG box is pointing to the DNS server, so a firewall rule doesn't apply here.  I expected that when I changed the DNS setting in my computer, I would not be able to get to any websites.  Well, I was able to surf the web just fine.  My question is, why is Astaro allowing this to work?  Maybe there is a default packet filter rule that was created when I installed (ver 7) that is allowing this port, but it's just not obvious by looking at the rules.  Of all the rules I added, I never added any rule that did anything with this port.

--Scott


This thread was automatically locked due to age.
Parents
  • 0
    Are you using ASL HTTP proxy?  It will lookup DNS using the ASL DNS....
  • 0 in reply to Simon Shaw
    I don't know what ASL is. Is it another Astaro product?  I'm using Astaro Security Gateway v7.301.  I due use HTTP proxy.
  • 0 in reply to ScottG
    Scott, just don't allow any DNS through the Astaro.  Force the clients to use the Astaro DNS Proxy, and set the forwarders on the Astaro DNS settings to OpenDNS servers.  That's the simple solution.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Oh, and "ASL" and ASG Software are the same thing; Astaro used to call their software license only product Astaro Security Linux (ASL), but they started calling both the Appliance and the license-only product ASG .... some of us (me included sometimes) still call the software license version "ASL."

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    How do I not allow any DNS through the Astaro?
  • 0 in reply to ScottG
    Do not have a packet filter rule that allows DNS, or "ANY" from the internal network to the outside world.  By default, if traffic is not allowed via a packet filter, it is dropped.

    Alternatively, define a Internal Network -> DNS -> ANY  Drop rule, and put it at the top of the packet filter list.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to ScottG
    Do not have a packet filter rule that allows DNS, or "ANY" from the internal network to the outside world.  By default, if traffic is not allowed via a packet filter, it is dropped.

    Alternatively, define a Internal Network -> DNS -> ANY  Drop rule, and put it at the top of the packet filter list.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner