block all internet DNS services except 3

Question

Hello, 
 We want our lan users to not be able to change their dns settings on their computers or browsers to use other dns services available on the web. We want to only allow access to these two dns servers : 208.67.222.222 and 208.67.220.220 (these are opendns servers). 
 How can we setup a firewall rule to block all dns services, except for if that service is reaching to A) the sophos firewall itself, or B) these 2 IP's 208.67.222.222 and 208.67.220.220

Prism · Accepted Answer

Hello, 
 There's two ways to solve this issue: 
 1) On v18, you can create a new Firewall Rule on top of all others such as this example:

EDIT: small error on the Picture above, I forgot to change from "Accept" to "Drop". Be aware. 
 EDIT2: Fixed. 
 This Firewall Rule will block access over (TCP/UDP on Port 53) for the entire WAN, but the Exclusion will allow the DNS Requests go through If It's for OpenDNS. The issue with this rule is: If a user tries to change DNS Server, It won't be able to connect to pretty much anything until she/he switches back to either OpenDNS or the Firewall Itself. 
 * Remember to change the Source/Destinations to your desired ones; 
 
 2) Or as a second option, you can use a NAT Rule, and redirect all DNS Requests that are being sent to the Internet to OpenDNS; This is a better approach since even If the user tries to change It's DNS Server, the DNS Request will be sent and answered through the DNS Server you choose for the DNAT. 
 Here's an example: 
 
 Remember to use your WAN Interface at "Outbound Interface". 
 Thanks!

Prism · Answer

joefirewall said: under network>dns, if a dns is set there, is that what resolutions will be done via when the xg itself is called upon to answer a dns request? 
 Under Network => DNS, all DNS Servers written in there will be called by the Firewall itself. 
 This is useful if your currently sending all your clients DNS Requests for the Firewall. 
 It would be like this: Client Request => Sophos Firewall => Upstream DNS Server. 
 Using Sophos Firewall as the DNS Server Itself is also more useful for FQDN's on SD-WAN, but It depends on your scenario. 
 joefirewall said: is there a place to toggle dns relay off/on 
 You can configure Relays only on XG only if the Client is using the Firewall itself as the DNS Server. 
 If not, It should be done on your DNS Server. 
 * I think I got this question wrong, If I did, please tell me. 
 joefirewall said: And lastly is the xg when acting as a dns relay, itself also subject to the firewall rules itself? No need to answer these... just a curiosity. 
 No, It isn't; You don't need to create a Firewall Rule for It, or even for the Clients (If their using XG itself as the DNS Server.) 
 Any DNS Request sent to the Firewall, the Firewall Itself will send It for the upstream DNS Servers. 
 Note: If you want to block a certain client or network to connect over the DNS Server of the Firewall, you should do this over ACL's.

Prism · Answer

That's a completely different scenario from your post. 
 By then, you should look at getting a list of those URL's being used for DoH & DoT, then create a URL Group and block them directly with a Web Filtering Policy. 
 The Firewall will look at the SNI of those connection and block them through DPI; Or If your doing TLS Decryption, you can block those requests through MIME Type. 
 More information can be found at: support.sophos.com/.../KB-000039056

block all internet DNS services except 3

Top Replies