Docs / Policies & Filtering / Prevent DNS bypass
Browse Policies & Filtering
Getting Started
Admin Console
Deployment & Agents
Policies & Filtering
Integrations & SSO
API & Reference
Policies & Filtering

Prevent DNS bypass

Stop users from sidestepping ScoutDNS by setting their own resolvers. Firewall rules that block all port-53 traffic except to ScoutDNS, plus how to lock down DoH and DoT.

Updated Aug 23, 2025 • 3 min read

A user who knows what they’re doing can override their device’s DNS to use a public resolver like 1.1.1.1 or 8.8.8.8, bypassing ScoutDNS entirely. To prevent that, lock down DNS traffic at the firewall: only ScoutDNS resolvers should be reachable from inside the network.

The firewall rules

The pattern, in order:

  1. Allow TCP/UDP port 53 to the ScoutDNS resolver IPs.
  2. Block TCP/UDP port 53 to every other IP.

The block rule must sit after the allow rule (firewalls evaluate top-down and stop at the first match).

Rule template

ALLOW   TCP/UDP   IN/OUT   <ScoutDNS resolver IP 1>   port 53
ALLOW   TCP/UDP   IN/OUT   <ScoutDNS resolver IP 2>   port 53
BLOCK   TCP/UDP   IN/OUT   any                          port 53

Get the resolver IPs from Admin Console → Help → IPs List (reference).

[!NOTE] Some firewalls require separate rules for TCP and UDP rather than a single rule covering both. Check your vendor’s docs.

Don’t forget encrypted DNS

Plain port 53 is only half the story. Modern browsers and OSes can use:

  • DNS-over-HTTPS (DoH), looks like normal HTTPS on port 443
  • DNS-over-TLS (DoT), runs on port 853

These bypass any port-53 rule.

Lock down DoT

Easy: block outbound TCP port 853 to all destinations. Almost nothing legitimate runs on 853.

BLOCK   TCP   OUT   any   port 853

Lock down DoH

Harder: DoH traffic looks like ordinary HTTPS on port 443. Three options:

  • Block known DoH providers by IP/hostname, Cloudflare (1.1.1.1, cloudflare-dns.com), Google (dns.google), NextDNS, Quad9, etc. Maintained lists exist; you’ll add to them over time.
  • Force browser DoH policy via GPO/MDM. Chrome, Edge, and Firefox all expose enterprise policies to disable secure-DNS or pin it to the system resolver.
  • Roaming agent, the ScoutDNS roaming agent intercepts DNS at the device level, so browser DoH attempts go through ScoutDNS regardless of what the user configures. This is the cleanest answer for managed fleets.

[!TIP] For a managed fleet, the agent is the strongest enforcement layer because it works off-network too. Firewall rules only help while the device is behind your firewall; the agent enforces everywhere.

Set a network-wide DNS configuration

In parallel with the firewall rules, push the ScoutDNS resolver IPs from your DHCP server so devices that don’t override receive them automatically. Most users will never change DNS, the firewall rules just catch the few who try.

If you run Active Directory, you can also push DNS settings via GPO so domain-joined devices get the configuration from policy.

Vendor-specific configuration

Because of the number of router and firewall vendors on the market, ScoutDNS doesn’t maintain step-by-step guides for each. Consult your firewall vendor’s documentation for the exact rule syntax. The shape of the rules is the same everywhere:

  1. Allow to ScoutDNS resolver IPs on the required ports
  2. Block everything else on those ports
Was this article helpful?
Still stuck? Open a ticket and we'll follow up by email.
Open a ticket
Last updated Aug 23, 2025