Solved

Force All DNS traffic to OpenDns

Posted on 2013-06-04
8
2,490 Views
Last Modified: 2013-09-18
I have a Fortigate firewall.  I currently use OpenDns for my web content filter.  I need to force all traffic on my network to use the OpenDns DNS servers (208.67.222.222). I need to create an Access Rule that would blocked all activity on port 53 except OpenDns.  Would this route traffic to OpenDNS's server address?  What are the steps to make this work?
0
Comment
Question by:abuhaneef
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39219132
Best practice would be:

Set up DNS server(s) on your network with forwarder set to OpenDNS.
Set up clients to use your local DNS server.
Block all DNS queries that do not originate from your DNS server(s).

I would also suggest setting a forwarding timeout before performing a recursive lookup.  (This allows DNS to continue working if OpenDNS becomes slow or unresponsive.)
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39219133
It wouldn't exactly force it the way you might think. What it would do is break DNS for anyone NOT using that server. The only way they could get DNS to work would be TO use it. That's not quite the same thing.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39219787
If your locking down outbound DNS make sure your allowing both UDP AND TCP port 53.  Be sure to configure DNS security per this document:

http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 28

Expert Comment

by:asavener
ID: 39219829
1
0
 

Author Comment

by:abuhaneef
ID: 39220441
My DNS server is a Server 2008 box.  The first items are in place:
     Set up DNS server(s) on your network with forwarder set to OpenDNS.
     Set up clients to use your local DNS server.
Not sure how to accomplish the third
     Block all DNS queries that do not originate from your DNS server(s).
0
 
LVL 8

Accepted Solution

by:
d0ughb0y earned 300 total points
ID: 39222031
That's essentially what you were suggesting in the first place. You allow TCP & UDP port 53 out only to the OpenDNS server. I would set up your DHCP so that your workstations first use your internal DNS server, and then use the OpenDNS server as the secondary - that way, if your server goes down for some reason, they'll still be able to get to the Internet, but still be limited to sending DNS queries through OpenDNS.

Normal operation would be that the clients would make DNS requests to the internal server, and if that doesn't have the answers, it would forward the request out to OpenDNS.
0
 
LVL 3

Expert Comment

by:Hir0
ID: 39222070
Doughboy is right.  You'll screw up your client server DNA queries if you give the clients a WAN based dns.  All local queries would end up going to opendns,  which would break quite a bit...
0
 
LVL 28

Expert Comment

by:asavener
ID: 39222119
Set up a rule on the Fortigate to block all TCP and UDP 53 traffic, and put in exceptions for your DNS servers.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
QoS on Cisco router 10 60
Port to open for RDP connection to VM in DMZ ? 5 104
Quick start reading for Windows sysinternals 5 83
Esxi host disconnected in Vcenter 26 140
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question