Topic Thread

Expand all | Collapse all

How to block bypass DNS settings

  • 1.  How to block bypass DNS settings

    Posted 02-27-2018 04:00

    Dear All, 

    I have a question that I configured an Internet policy in the FortiGate firewall with allowing all services. I want to block DNS bypass. Is it possible to block only DNS service? I happy to make different policy for my DNS server but don't want to make another policy for my client systems. 

     

    Regards,

    Deepak Kumar



  • 2.  RE: How to block bypass DNS settings

    Posted 02-28-2018 11:18

    I'd create a rule just above the previous one to block dns traffic . Did you try that?



  • 3.  RE: How to block bypass DNS settings

    Posted 03-04-2018 21:54

    Thanks, I can do it but is it possible the In the single Policy I will allow all services except the DNS?

     

    Regards,

    Deepak Kumar



  • 4.  How to block bypass DNS settings

    Posted 03-04-2018 22:05
    I don't think you can negate a service in a policy. Technically you "could" try to specify all services but UDP/53, but the policy would look massive in the number of objects. Also don't forget any services!

    I don't get what's wrong with another policy, denying UDP/53?

    I can think of another option though : app control profile to block DNS traffic in your "one" policy (and allowing the rest of the applications).

    Regards,

    Michael

    ________________________________
    From: Deepak Kumar, Network Admin via Firewall:


  • 5.  RE: How to block bypass DNS settings

    Posted 03-04-2018 22:12

    Hi, 

    there is no reason to avoid to configure any deny policy but it is for basic Idea.

    Regards,

    Deepak Kumar



  • 6.  RE: How to block bypass DNS settings

    Posted 03-07-2018 23:27

    IMHO an explicit DENY policy is not only effective but openly documents your intention, namely that only the internal DNS is to be used. Besides, if you enable logging you could pinpoint the hosts which still are not using the (DHCP supplied) internal DNS.

    Transparency is one of the foundations of security.