How to Limit DNS Bypass on Unifi Gateway

Several of our small business, nonprofit, and education customers run Ubiquiti networks and so I thought it would be helpful to answer the following question using the Unifi Dream Machine Pro.

“How do I prevent users from changing their DNS to bypass filtering?”

While preventing content filter bypass is a good reason to manage DNS ports on your firewall, another often overlooked reason is to impede malware that has entered your network from using other outside DNS resolvers. Forcing all DNS through a DNS firewall or RPZ will insure that all related traffic is properly vetted.

This setup is for configuring DNS firewall rules on a Unifi Dream Machine Pro, but the basic rules and configuration are similar on the USG and USG Pro respectively. This is done in 4 easy steps.

  1. Create DNS Port Group
  2. Create Resolver IP Group
  3. Create rule allowing Resolver IP Group
  4. Create rule denying DNS Port Group


The end result will be something like this:

Configured rules allowing only specific DNS resolvers


STEP 1) Configure DNS Port Group 

First configure the group objects within the firewall subtab. Object based configuration makes managing systems so much easier. We will start out by configuring a port based object that represents all DNS traffic. Enter Port 53 and call it All DNS.


Create port based object for all DNS traffic


STEP 2) Configure IPv4 Address/Subnet Group (Resolver Group)

Next we will configure the IP based object for our actual resolver IPs. In this instance we use our default primary and secondary ScoutDNS IPs but you can configure any resolvers that you may want to allow on your network. On my network I call it ScoutDNS.


Create IP based Resolver Object for your resolver IPs


STEP 3) Create Firewall Rule allowing the Resolver Group 

Now create a WAN Out firewall rule that allows ScoutDNS. Remember, although UDP is the default protocol for DNS, TCP can all be used. For this reason select both” TCP and UDP” under the IPv4 Protocol selection.

Here are the key settings:

Rule Type: WAN Out

Rule Applied: Before Predefined Rules

Action: Accept

IPV4 Protocol: TCP and UDP

Destination Type: Address/Port Group

IPv4 Address Group: Your Group Name

Port Group: All DNS

Create WAN Out rule assigning Resolver Group to the DNS Port Group

STEP 4) Create Firewall Rule Dropping all traffic on the DNS Port Group 

Finally create a WAN Out Firewall Rule prohibiting all other DNS traffic on port 53. The Accept rule created in step 3 for our preferred resolvers will override.

Key Settings:

Type: WAN Out

Rule Applied: Before Predefined Rules

Action: Drop

IPv4 Protocol: TCP and UDP

Port Group: All DNS

Create WAN Out rule droping all TCP and UDP traffic out the DNS Port Group


Quick Tip:

You can add additional revolvers at any time by editing the Allowed Resolver group.

If using multiple services or a NAT type multi-policy, you can allow specific resolvers based on subnet/VLAN



Test and Confirm


If you want to test your configuration simply run a couple of NSLOOKUP commands from a command prompt:


Confirming approved resolvers are working


Confirming other DNS requests are dropped


Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

More To Explore

DNS Filtering Explained

It’s been estimated that over 90% of malicious threats use DNS to some degree.  What is DNS Filtering? DNS Filtering analyzes DNS requests made on

Have any questions? Just Ask