Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 2055 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT rule for DNS lookups for devices hard-coded with Google DNS

alan weir

I have a device on my LAN that has Google's DNS hard-coded into it. Meaning that even when I configure the device to use other DNS servers, like Cloudflare, it reverts back to 8.8.8.8 and 8.8.4.4 and cannot be changed.

Is the only way around this to create a DNAT rule that changes the destination to a different DNS server?

Is this correct:

For traffic from: network definition (IP address of the device)

Using service: DNS

Going to: External (WAN) Network / External IPv4

---------------------------------------------------------------

Change the destination to: Network Definition (which would be my internal DNS server, or I.P. address of the internal DNS server.)

And the service to: DNS

Would this cause issues with DNSSEC? Should I perhaps change the destination to my default gateway and use the DNS forwarders (my DNS server) setting of the UTM?



This thread was automatically locked due to age.
  • 0

    Keep in mind that DNS in its genuine form is (unsolicited) UDP. Probably a DNAT is not sufficient if there is no protocol helper which matches the response to the query. I'd go for full NAT here. DNAT should be fine for TCP connections (often in DNSSEC because of packet size or in DNS-over-SSL).

  • 0 in reply to Alan Brand

    Thank you for your feedback. I decided to block the device from accessing the external network entirely. The bizarre feature of this device tries to send a DNS request to 8.8.8.8 and if it doesn't get a reply then it tries 1.0.0.1 which belongs to cloudfare (according to wireshark). Really weird. I can set an IP address and default gateway manually but not DNS.

    Hard-coded DNS completely bypasses any ad-blocking DNS servers (like Pi-Hole)  and is a bad practice. But it's common with IoT devices in particular. The device is trying to resolve the IP address of it's own cloud storage service continuously until it gets a response.

    I might try the full NAT approach anyway.

  • 0 in reply to alan weir

    Yes, as Alan Brand commented, a Full NAT is the only solution.  Otherwise, the internal DNS server sends the response directly to the device and it automatically drops the response packet.

         Full NAT : IoT device -> DNS -> {8.8.4.4 & 8.8.8.8) : from "Internal (Address) to {internal DNS server}

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The way your NAT rule is worded is different from the way the UTM words it. I assume you are going by how XG does it?

    Here is a screenshot of my NAT rule. "ALL DNS" is an availability group containing Google and Cloudflare DNS IP

  • 0 in reply to alan weir

    After creating the rule it seems to be working, but this camera will just not stop sending DNS requests even when it is allowed to. 

  • 0 in reply to alan weir

    Looks good, Alan.  Check out #5 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML