Solved

Force All DNS traffic to OpenDns

Posted on 2013-06-04
8
2,631 Views
Last Modified: 2013-09-18
I have a Fortigate firewall.  I currently use OpenDns for my web content filter.  I need to force all traffic on my network to use the OpenDns DNS servers (208.67.222.222). I need to create an Access Rule that would blocked all activity on port 53 except OpenDns.  Would this route traffic to OpenDNS's server address?  What are the steps to make this work?
0
Comment
Question by:abuhaneef
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39219132
Best practice would be:

Set up DNS server(s) on your network with forwarder set to OpenDNS.
Set up clients to use your local DNS server.
Block all DNS queries that do not originate from your DNS server(s).

I would also suggest setting a forwarding timeout before performing a recursive lookup.  (This allows DNS to continue working if OpenDNS becomes slow or unresponsive.)
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39219133
It wouldn't exactly force it the way you might think. What it would do is break DNS for anyone NOT using that server. The only way they could get DNS to work would be TO use it. That's not quite the same thing.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39219787
If your locking down outbound DNS make sure your allowing both UDP AND TCP port 53.  Be sure to configure DNS security per this document:

http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 28

Expert Comment

by:asavener
ID: 39219829
1
0
 

Author Comment

by:abuhaneef
ID: 39220441
My DNS server is a Server 2008 box.  The first items are in place:
     Set up DNS server(s) on your network with forwarder set to OpenDNS.
     Set up clients to use your local DNS server.
Not sure how to accomplish the third
     Block all DNS queries that do not originate from your DNS server(s).
0
 
LVL 8

Accepted Solution

by:
d0ughb0y earned 300 total points
ID: 39222031
That's essentially what you were suggesting in the first place. You allow TCP & UDP port 53 out only to the OpenDNS server. I would set up your DHCP so that your workstations first use your internal DNS server, and then use the OpenDNS server as the secondary - that way, if your server goes down for some reason, they'll still be able to get to the Internet, but still be limited to sending DNS queries through OpenDNS.

Normal operation would be that the clients would make DNS requests to the internal server, and if that doesn't have the answers, it would forward the request out to OpenDNS.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39222070
Doughboy is right.  You'll screw up your client server DNA queries if you give the clients a WAN based dns.  All local queries would end up going to opendns,  which would break quite a bit...
0
 
LVL 28

Expert Comment

by:asavener
ID: 39222119
Set up a rule on the Fortigate to block all TCP and UDP 53 traffic, and put in exceptions for your DNS servers.
0

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question