Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Force All DNS traffic to OpenDns

Posted on 2013-06-04
8
Medium Priority
?
3,013 Views
Last Modified: 2013-09-18
I have a Fortigate firewall.  I currently use OpenDns for my web content filter.  I need to force all traffic on my network to use the OpenDns DNS servers (208.67.222.222). I need to create an Access Rule that would blocked all activity on port 53 except OpenDns.  Would this route traffic to OpenDNS's server address?  What are the steps to make this work?
0
Comment
Question by:abuhaneef
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39219132
Best practice would be:

Set up DNS server(s) on your network with forwarder set to OpenDNS.
Set up clients to use your local DNS server.
Block all DNS queries that do not originate from your DNS server(s).

I would also suggest setting a forwarding timeout before performing a recursive lookup.  (This allows DNS to continue working if OpenDNS becomes slow or unresponsive.)
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39219133
It wouldn't exactly force it the way you might think. What it would do is break DNS for anyone NOT using that server. The only way they could get DNS to work would be TO use it. That's not quite the same thing.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39219787
If your locking down outbound DNS make sure your allowing both UDP AND TCP port 53.  Be sure to configure DNS security per this document:

http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 28

Expert Comment

by:asavener
ID: 39219829
1
0
 

Author Comment

by:abuhaneef
ID: 39220441
My DNS server is a Server 2008 box.  The first items are in place:
     Set up DNS server(s) on your network with forwarder set to OpenDNS.
     Set up clients to use your local DNS server.
Not sure how to accomplish the third
     Block all DNS queries that do not originate from your DNS server(s).
0
 
LVL 8

Accepted Solution

by:
d0ughb0y earned 1200 total points
ID: 39222031
That's essentially what you were suggesting in the first place. You allow TCP & UDP port 53 out only to the OpenDNS server. I would set up your DHCP so that your workstations first use your internal DNS server, and then use the OpenDNS server as the secondary - that way, if your server goes down for some reason, they'll still be able to get to the Internet, but still be limited to sending DNS queries through OpenDNS.

Normal operation would be that the clients would make DNS requests to the internal server, and if that doesn't have the answers, it would forward the request out to OpenDNS.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39222070
Doughboy is right.  You'll screw up your client server DNA queries if you give the clients a WAN based dns.  All local queries would end up going to opendns,  which would break quite a bit...
0
 
LVL 28

Expert Comment

by:asavener
ID: 39222119
Set up a rule on the Fortigate to block all TCP and UDP 53 traffic, and put in exceptions for your DNS servers.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question