2

In my organization (which uses two network DNS servers and a local DNS resolver per laptop) I want to restrict DNS requests to only

  • 127.0.0.1
  • 192.168.10.201
  • 192.168.20.2
  • 1.1.1.1
  • 1.0.0.1

and block all other DNS requests. I want this by creating Windows Firewall rules in the GPO.

So how can I block TCP/UDP port 53 traffic except those IPs?

This configuration only applies then to laptops. When they are in the company network, the network firewall ensures that outgoing DNS requests are all blocked except for the local DNS resolvers. The Windows Firewall should block using other DNS servers while outside and using phone-hotspots or WWAN adapters.

Philipp
  • 123
  • 1
  • 4
  • 13
  • 1
    Please note that doing this may prevent internet connectivity when the laptops are used on a network that uses captive portal technology to validate users, such as frequently seen in hotels, convention centers, airports and coffee outlets – HBruijn Oct 06 '19 at 14:37
  • 1
    All our laptops have a integrated WWAN interface with a SIM card and unlimited data at medium speed. So there's no need for using public hotspots. But thank you for your reminder. – Philipp Oct 06 '19 at 14:49
  • You just need two rules. One should block all outgoing tcp/udp 53. One should allow same port and protocols for the IPS you listed. Both should be for any local program. No time to get into detail and write an answer, but it should be pretty easy! – Marco Oct 06 '19 at 15:31
  • 1
    Newer browsers, and specially firefox, mais elect to use DoH (DNS over HTTPS) instead of the OS supplied DNS servers. Which can create a whole lot of problems in cases like yours. See https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https and https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise and https://wiki.mozilla.org/Trusted_Recursive_Resolver#network.trr.mode ; Chrome does DoH too but only if it detects that the DNS used also offers this option so it is a safe upgrade. – Patrick Mevzek Oct 06 '19 at 15:51
  • Using Marco's idea is terrible dangerous. Doing this blocks all DNS requests including GPO updates! I created a rule for blocking all on port tcp/udp 53 and a rule for allowing tcp/udp 53 to specific IPs. But blocking everything is stronger then allowing something and so all port 53 got blocked and I needed to disable Windows Firewall to update GPO again for deleting those rules. – Philipp Oct 06 '19 at 18:06
  • 1
    I don’t see the point. When the laptop is connected to a foreign network, those IP addresses can be any DNS server. It is not even guaranteed that the public IP addresses point to the real DNS servers at those IP addresses. So why limit the DNS queries? – Tommiie Oct 06 '19 at 18:47
  • My problem is that is seems impossible to make two configurations for the same port on Windows Firewall. When I create a rule for blocking TCP/UDP 53 and another rule for allowing TCP/UDP 53 for only specific servers, the Windows Firewall doesn't understand that and ignores the allowing rule, because blocking everything is stronger than allowing just a few things. When I apply @Marco's comment, I instantly crash all communication on the laptop. I needed to disable the firewall completely to connect to my ADDC. – Philipp Oct 06 '19 at 18:49
  • @Tommiie The point is that LTE overrides any static config done in Windows. When I static configure the WWAN interface to use 127.0.0.1 as DNS resolver, the LTE connection overrides the config of it's own adapter. And when using WWAN there is definitely no IP like 192.168.... If really someone is redirecting traffic to 1.1.1.1 to another server it's just bad luck. 100% secure is impossible, but I want to block some dangerous hosts by a local DNS resolver. – Philipp Oct 06 '19 at 18:53
  • @philip this depends on the rules order. Allow should be before block. And I guess you included your DCs in the DNS ip list so GPO deployment should not be affected. If not, I'd be glad if you explain what I'm missing. Thanks. – Marco Oct 07 '19 at 10:45
  • @Marco When updating GPOs the Client searches via DNS for the DC. But will never find it as DNS is blocked. – Philipp Oct 13 '19 at 11:44
  • @PimpJuiceIT According to "https://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx#Rules_are_evaluated_in_a_specific_order" block rules are evaluated before allow rules. But I want this reversed, which seems impossible to realize with Windows. – Philipp Oct 13 '19 at 11:45
  • I don't think clients will query any other dns than the os configured ones so you should still be able to query your DCs as long as they are those 192.168 ones and you've setup successfully Windows Firewall. I'll make some tries in a test lab ASAP – Marco Oct 13 '19 at 12:07
  • When I make 2 rules: 1. Block all TCP/UDP 53. and 2. Allow TCP/UDP 53 to the servers ...... and the block rules are applied first, the allow rules are ignored. So allowing the DNS servers in 192.168 is useless as the block all rule is applied first and only. – Philipp Oct 13 '19 at 12:23
  • I was wrong with the order. Obv it's the other way around allow before block – Marco Oct 14 '19 at 11:11
  • But it isn't possible to change the order and blocking is before allowing. – Philipp Oct 18 '19 at 09:56

0 Answers0