Solved

Force All DNS traffic to OpenDns

Posted on 2013-06-04
8
2,142 Views
Last Modified: 2013-09-18
I have a Fortigate firewall.  I currently use OpenDns for my web content filter.  I need to force all traffic on my network to use the OpenDns DNS servers (208.67.222.222). I need to create an Access Rule that would blocked all activity on port 53 except OpenDns.  Would this route traffic to OpenDNS's server address?  What are the steps to make this work?
0
Comment
Question by:abuhaneef
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39219132
Best practice would be:

Set up DNS server(s) on your network with forwarder set to OpenDNS.
Set up clients to use your local DNS server.
Block all DNS queries that do not originate from your DNS server(s).

I would also suggest setting a forwarding timeout before performing a recursive lookup.  (This allows DNS to continue working if OpenDNS becomes slow or unresponsive.)
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39219133
It wouldn't exactly force it the way you might think. What it would do is break DNS for anyone NOT using that server. The only way they could get DNS to work would be TO use it. That's not quite the same thing.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39219787
If your locking down outbound DNS make sure your allowing both UDP AND TCP port 53.  Be sure to configure DNS security per this document:

http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve
0
 
LVL 28

Expert Comment

by:asavener
ID: 39219829
1
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:abuhaneef
ID: 39220441
My DNS server is a Server 2008 box.  The first items are in place:
     Set up DNS server(s) on your network with forwarder set to OpenDNS.
     Set up clients to use your local DNS server.
Not sure how to accomplish the third
     Block all DNS queries that do not originate from your DNS server(s).
0
 
LVL 8

Accepted Solution

by:
d0ughb0y earned 300 total points
ID: 39222031
That's essentially what you were suggesting in the first place. You allow TCP & UDP port 53 out only to the OpenDNS server. I would set up your DHCP so that your workstations first use your internal DNS server, and then use the OpenDNS server as the secondary - that way, if your server goes down for some reason, they'll still be able to get to the Internet, but still be limited to sending DNS queries through OpenDNS.

Normal operation would be that the clients would make DNS requests to the internal server, and if that doesn't have the answers, it would forward the request out to OpenDNS.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39222070
Doughboy is right.  You'll screw up your client server DNA queries if you give the clients a WAN based dns.  All local queries would end up going to opendns,  which would break quite a bit...
0
 
LVL 28

Expert Comment

by:asavener
ID: 39222119
Set up a rule on the Fortigate to block all TCP and UDP 53 traffic, and put in exceptions for your DNS servers.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Resolve DNS query failed errors for Exchange
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now