Forum Discussion

Aspirant

Jul 24, 2017

Solved

SRX5308 Block External DNS

I have a small office of engineers. I use OpenDNS as a web filter. Some of them have figured out if they change their DNS settings to point to an external DNS server that they can browes the web unfiltered. I would like to block all port 53 traffice outbound, and allow only port 53 traffic to OpenDNS servers (208.67.222.222 & 208.67.220.220). Not all PCs are added to the domain to forcing a GPO will not work. I would like to do this on the router.

I have created the attached rules, but they are not working (I know in the screen shot they are disabeld.)

What am I missing?

Solutions

dgordon11
Jul 26, 2017
DaneA,

Thanks for the response.

I found the solution there:
https://community.netgear.com/t5/VPN-Firewalls/Preventing-circumvention-of-OpenDNS-with-firewall-rules/m-p/1331593#M8229

3 Replies

dgordon11
Aspirant
Jul 24, 2017
- DaneA
  NETGEAR Employee Retired
  Jul 26, 2017
  Hi dgordon11,
  
  Welcome to the community! :)
  
  Let us try this. Here are the steps below:
  
  1. On the web-GUI of the SRX5308, go to Security > Firewall > LAN WAN Rules.
  
  2. Change the Default Outbound Policy to Block Always then click the Apply button beside it.
  
  3. Based from the screenshot you have posted, delete the Service Names "DNS:TCP" because DNS servers listens to UDP port 53.
  
  4. Enable the Service Names "DNS:UDP" you have configured.
  
  5. Check if it works.
  
  As reference, kindly read pages 145-146 of the SRX5308 reference manual here about Changing the Default Outbound Policy and Existing IPv4 Rules.
  
  Regards,
  
  DaneA
  NETGEAR Community Team
  - dgordon11
    Aspirant
    Jul 26, 2017
    DaneA,
    
    Thanks for the response.
    
    I found the solution there:
    https://community.netgear.com/t5/VPN-Firewalls/Preventing-circumvention-of-OpenDNS-with-firewall-rules/m-p/1331593#M8229