How to Limit DNS Bypass on Unifi Gateway

 In DNS, How To, Network Security

Several of our small business, nonprofit, and education customers run Ubiquiti networks and so I thought it would be helpful to answer the following question using the Unifi Dream Machine Pro.

“How do I prevent users from changing their DNS to bypass filtering?”

While preventing content filter bypass is a good reason to manage DNS ports on your firewall, another often overlooked reason is to impede malware that has entered your network from using other outside DNS resolvers. Forcing all DNS through a DNS firewall or RPZ will insure that all related traffic is properly vetted.

This setup is for configuring DNS firewall rules on a Unifi Dream Machine Pro, but the basic rules and configuration are similar on the USG and USG Pro respectively. This is done in 4 easy steps.

  1. Create DNS Port Group
  2. Create Resolver IP Group
  3. Create rule allowing Resolver IP Group
  4. Create rule denying DNS Port Group

 

The end result will be something like this:

Configured rules allowing only specific DNS resolvers

 

STEP 1) Configure DNS Port Group 

First configure the group objects within the firewall subtab. Object based configuration makes managing systems so much easier. We will start out by configuring a port based object that represents all DNS traffic. Enter Port 53 and call it All DNS.

 

Create port based object for all DNS traffic

 

STEP 2) Configure IPv4 Address/Subnet Group (Resolver Group)

Next we will configure the IP based object for our actual resolver IPs. In this instance we use our default primary and secondary ScoutDNS IPs but you can configure any resolvers that you may want to allow on your network. On my network I call it ScoutDNS.

 

Create IP based Resolver Object for your resolver IPs

 

STEP 3) Create Firewall Rule allowing the Resolver Group 

Now create a WAN Out firewall rule that allows ScoutDNS. Remember, although UDP is the default protocol for DNS, TCP can all be used. For this reason select both” TCP and UDP” under the IPv4 Protocol selection.

Here are the key settings:

Rule Type: WAN Out

Rule Applied: Before Predefined Rules

Action: Accept

IPV4 Protocol: TCP and UDP

Destination Type: Address/Port Group

IPv4 Address Group: Your Group Name

Port Group: All DNS

Create WAN Out rule assigning Resolver Group to the DNS Port Group

STEP 4) Create Firewall Rule Dropping all traffic on the DNS Port Group 

Finally create a WAN Out Firewall Rule prohibiting all other DNS traffic on port 53. The Accept rule created in step 3 for our preferred resolvers will override.

Key Settings:

Type: WAN Out

Rule Applied: Before Predefined Rules

Action: Drop

IPv4 Protocol: TCP and UDP

Port Group: All DNS

Create WAN Out rule droping all TCP and UDP traffic out the DNS Port Group

 

Quick Tip:

You can add additional revolvers at any time by editing the Allowed Resolver group.

If using multiple services or a NAT type multi-policy, you can allow specific resolvers based on subnet/VLAN

 

 

Test and Confirm

 

If you want to test your configuration simply run a couple of NSLOOKUP commands from a command prompt:

 

Confirming approved resolvers are working

 

Confirming other DNS requests are dropped

 

Recent Posts

Start typing and press Enter to search