Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Force All DNS traffic to OpenDns

Posted on 2013-06-04
8
Medium Priority
?
2,815 Views
Last Modified: 2013-09-18
I have a Fortigate firewall.  I currently use OpenDns for my web content filter.  I need to force all traffic on my network to use the OpenDns DNS servers (208.67.222.222). I need to create an Access Rule that would blocked all activity on port 53 except OpenDns.  Would this route traffic to OpenDNS's server address?  What are the steps to make this work?
0
Comment
Question by:abuhaneef
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39219132
Best practice would be:

Set up DNS server(s) on your network with forwarder set to OpenDNS.
Set up clients to use your local DNS server.
Block all DNS queries that do not originate from your DNS server(s).

I would also suggest setting a forwarding timeout before performing a recursive lookup.  (This allows DNS to continue working if OpenDNS becomes slow or unresponsive.)
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39219133
It wouldn't exactly force it the way you might think. What it would do is break DNS for anyone NOT using that server. The only way they could get DNS to work would be TO use it. That's not quite the same thing.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39219787
If your locking down outbound DNS make sure your allowing both UDP AND TCP port 53.  Be sure to configure DNS security per this document:

http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 28

Expert Comment

by:asavener
ID: 39219829
1
0
 

Author Comment

by:abuhaneef
ID: 39220441
My DNS server is a Server 2008 box.  The first items are in place:
     Set up DNS server(s) on your network with forwarder set to OpenDNS.
     Set up clients to use your local DNS server.
Not sure how to accomplish the third
     Block all DNS queries that do not originate from your DNS server(s).
0
 
LVL 8

Accepted Solution

by:
d0ughb0y earned 1200 total points
ID: 39222031
That's essentially what you were suggesting in the first place. You allow TCP & UDP port 53 out only to the OpenDNS server. I would set up your DHCP so that your workstations first use your internal DNS server, and then use the OpenDNS server as the secondary - that way, if your server goes down for some reason, they'll still be able to get to the Internet, but still be limited to sending DNS queries through OpenDNS.

Normal operation would be that the clients would make DNS requests to the internal server, and if that doesn't have the answers, it would forward the request out to OpenDNS.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39222070
Doughboy is right.  You'll screw up your client server DNA queries if you give the clients a WAN based dns.  All local queries would end up going to opendns,  which would break quite a bit...
0
 
LVL 28

Expert Comment

by:asavener
ID: 39222119
Set up a rule on the Fortigate to block all TCP and UDP 53 traffic, and put in exceptions for your DNS servers.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question