Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

block all internet DNS services except 3


      We want our lan users to not be able to change their dns settings on their computers or browsers to use other dns services available on the web.  We want to only allow access to these two dns servers : and (these are opendns servers).

     How can we setup a firewall rule to block all dns services, except for if that service is reaching to A) the sophos firewall itself, or B) these 2 IP's and

This thread was automatically locked due to age.
  • Hi,

    you set the DNS in the XG DHCP that you wish to use and you do not add DNS to any firewall rule.


    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks, but we don't use dhcp some clients, and the standard allow lan to wan traffic doesn't block dns, this would allow users to reach dns servers if they manually type them into their devices.  Need to block all except some

  • So you aren't really managing your user access with specific ports in firewall rules?

    Your top LAN to WAN firewall rule would be block DNS.

    You set the DNS you want to use in the XG DNS settings.


    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • correct, very little outbound traffic is blocked by service type as of now.

    I don't want to specify all the allowed dns servers in the dhcp server.  I want to allow some extra ones that I don't put in the dns server.  

    btw, if firewall says block all dns, but dhcp says use this xyz dns.. which takes precedence?

  • So you're not actually controlling user access with firewall rules that specify certain ports?

    Block DNS would be your top LAN to WAN firewall rule.

    In the XG DNS settings, you select the DNS server you wish to use.


    e3-1225v5 - V18.5.x 6GB RAM, 4 USB ports, and a 20W power supply.
    3 AP55s and 2 APX120s are on vacation until a software update is available.
    Use the 'This helped me' link if a post answers your query.

  • So you're not actually controlling user access with firewall rules that specify certain ports?

    Block DNS would be your top LAN to WAN firewall rule.

    In the XG DNS settings, you select the DNS server you wish to use.


    e3-1225v5 - V18.5.x 6GB RAM, 4 USB ports, and a 20W power supply.
    3 AP55s and 2 APX120s are on vacation until a software update is available.
    Use the 'This helped me' link if a post answers your query.

No Data