block all internet DNS services except 3

Hi,

you set the DNS in the XG DHCP that you wish to use and you do not add DNS to any firewall rule.

Ian

Thanks, but we don't use dhcp some clients, and the standard allow lan to wan traffic doesn't block dns, this would allow users to reach dns servers if they manually type them into their devices.  Need to block all except some

So you aren't really managing your user access with specific ports in firewall rules?

Your top LAN to WAN firewall rule would be block DNS.

You set the DNS you want to use in the XG DNS settings.

Ian

Hello,

There's two ways to solve this issue:

1) On v18, you can create a new Firewall Rule on top of all others such as this example:

EDIT: small error on the Picture above, I forgot to change from "Accept" to "Drop". Be aware.

EDIT2: Fixed.

This Firewall Rule will block access over (TCP/UDP on Port 53) for the entire WAN, but the Exclusion will allow the DNS Requests go through If It's for OpenDNS.
The issue with this rule is: If a user tries to change DNS Server, It won't be able to connect to pretty much anything until she/he switches back to either OpenDNS or the Firewall Itself.

* Remember to change the Source/Destinations to your desired ones;

2) Or as a second option, you can use a NAT Rule, and redirect all DNS Requests that are being sent to the Internet to OpenDNS; This is a better approach since even If the user tries to change It's DNS Server, the DNS Request will be sent and answered through the DNS Server you choose for the DNAT.

Here's an example:

Remember to use your WAN Interface at "Outbound Interface".

Thanks!

correct, very little outbound traffic is blocked by service type as of now.

I don't want to specify all the allowed dns servers in the dhcp server.  I want to allow some extra ones that I don't put in the dns server.  

btw, if firewall says block all dns, but dhcp says use this xyz dns.. which takes precedence?

Awesome, I like both solutions. I would be using just the 1st solution (the firewall block rule with exceptions), because I will be using different dns providers for different users and if users change dns I am ok that breaks things, actually would prefer that.   I see the firewall rule will also still allow the firewall itself to act as dns since we are only blocking outbound to wan dns sevices.  That's good.  So I will setup dhcp with the xg as the main dns, and then setup some custom dns settings on some of the other static ip users (As it already is), and with the firewall rule I think everything will work perfectly. Thanks for the help! I haven't tested it yet, but it looks good so I will give the answer points to you now.

One curiosity, under network>dns, if a dns is set there, is that what resolutions will be done via when the xg itself is called upon to answer a dns request? is there a place to toggle dns relay off/on.  And lastly is the xg when acting as a dns relay, itself also subject to the firewall rules itself?  No need to answer these... just a curiosity.

joefirewall said:

under network>dns, if a dns is set there, is that what resolutions will be done via when the xg itself is called upon to answer a dns request?

Under Network => DNS, all DNS Servers written in there will be called by the Firewall itself.

This is useful if your currently sending all your clients DNS Requests for the Firewall.

It would be like this: Client Request => Sophos Firewall => Upstream DNS Server.

Using Sophos Firewall as the DNS Server Itself is also more useful for FQDN's on SD-WAN, but It depends on your scenario.

joefirewall said:

is there a place to toggle dns relay off/on

You can configure Relays only on XG only if the Client is using the Firewall itself as the DNS Server.

If not, It should be done on your DNS Server.

* I think I got this question wrong, If I did, please tell me.

joefirewall said:

  And lastly is the xg when acting as a dns relay, itself also subject to the firewall rules itself?  No need to answer these... just a curiosity.

No, It isn't; You don't need to create a Firewall Rule for It, or even for the Clients (If their using XG itself as the DNS Server.)

Any DNS Request sent to the Firewall, the Firewall Itself will send It for the upstream DNS Servers.

Note: If you want to block a certain client or network to connect over the DNS Server of the Firewall, you should do this over ACL's.

I like this explanation about using the XG as the DNS because the XG then gets to apply security checks to the connection which is why you have a firewall.

Ian

The XG can apply security checks independently of what DNS Server is in use.

ATP is Network-wide, It doesn't care if It's using Cloudflare DNS or OpenDNS.

One good thing that I noticed has - while using XG itself as the DNS Server, my FQDN's for SD-WAN Policies worked much better.

But, that's another Topic.

OK, I think I have a problem to this... What about the new DNS over Https that all the browsers are going to standard??  DoH it is abbreviated.  How can we block that?  Otherwise that is obvious loophole.