<div>
TCP and UDP 53. TCP is available for more than just zone transfers.<br />
<br />
If your web filtering service is based on DNS it would seem prudent to block access to other DNS servers otherwise getting around the filter is far too easy.<br />
<br />
With that options to get around it are reduced somewhat. Those still include services which might use alternate ports, or tunneling, or proxy services and so on.
</div>


TCP and UDP 53. TCP is available for more than just zone transfers.

If your web filtering service is based on DNS it would seem prudent to block access to other DNS servers otherwise getting around the filter is far too easy.

With that options to get around it are reduced somewhat. Those still include services which might use alternate ports, or tunneling, or proxy services and so on.

<div>
So your saying to leave port 53 open to anything, point the dhcp DNS servers to the filtering provider and put together a black list of known DNS servers, then add the blacklist to block on the firewall?
</div>


So your saying to leave port 53 open to anything, point the dhcp DNS servers to the filtering provider and put together a black list of known DNS servers, then add the blacklist to block on the firewall?

<div>
Please see attached. &nbsp;Is this what you mean? &nbsp;I have put the two dns servers I need everyone to be using within that alias (dnsfilter internal). &nbsp;Underneath is a reject rule for anything else for port 53 TCP/UDP.<br />
<a href="https://filedb.experts-exchange.com/incoming/2017/05_w20/1162334/DNS.png" target="_blank" class="file-inline" title="DNS.png (108 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>DNS.png</a>
</div>


Please see attached.  Is this what you mean?  I have put the two dns servers I need everyone to be using within that alias (dnsfilter internal).  Underneath is a reject rule for anything else for port 53 TCP/UDP.
DNS.png [https://filedb.experts-exchange.com/incoming/2017/05_w20/1162334/DNS.png]

DNS.png

<div>
<div class="content wysiwyg-content">
We are looking at doing a DNS web filtering service. We have public WiFi so we feel this is the easiest way to avoid an ssl mismatch. <br />
If we did do DNS filtering, would it be logical for us to block all connections to port 53 UDP unless it's to the web filtering DNS servers? This way someone can bypass it by changing their DNS servers?
</div>
</div>


We are looking at doing a DNS web filtering service. We have public WiFi so we feel this is the easiest way to avoid an ssl mismatch. 
If we did do DNS filtering, would it be logical for us to block all connections to port 53 UDP unless it's to the web filtering DNS servers? This way someone can bypass it by changing their DNS servers?

Web Filtering

The cyber security specialization covers the fundamental concepts underlying the construction of secure systems, from the hardware to the software to the human-computer interface, with the use of cryptography to secure interactions. Cyber security refers to the protection of personal or organizational information or information resources from unauthorized access, attacks, theft, or data damage. This includes controlling physical access to the hardware, as well as protecting against the harm that may come via network access, data and code injection, and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.

Cyber Security

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

Enterprise software, also known as enterprise application software (EAS), is computer software used to satisfy the needs of an organization, including businesses, schools, interest-based user groups, clubs, charities, or governments. Services provided by enterprise software are typically business-oriented tools such as online shopping and online payment processing, interactive product catalogue, automated billing systems, security, enterprise content management, IT service management, customer relationship management (CRM), enterprise resource planning (ERP), business intelligence (BI), project management, human resource management (HR), manufacturing and supply chain management, enterprise application integration (EAI), and enterprise forms automation. Enterprise software is often available as a suite of customizable programs that require specialist capabilities.