Securing DNS Through Security & NAT Policies

As part of protecting the corporate network from data exfiltration via DNS tunneling, command and control via rouge DNS servers, enforcement of DNS based content filtering, and other reasons it can be desirable to block all DNS traffic except to corporate run and approved DNS servers. This however can cause smart devices, BYOD devices, and guests to fail to function unless allowances are made.

Increasingly IoT and similar smart devices are shipped with DNS settings that are hardcoded or onerous for non-technical users to change. Additionally, BYOD users and visitors on your guest network can often have hardcoded DNS settings and asking them to change their settings when coming onto your network causes a bad user experience.

If you are a Palo Alto Networks customer the solution is to use a combination of security and NAT policies to block all dns, tcp-over-dns, dns-over-tls, dnscrypt and dns-over-https traffic over any port to any host other than the corporate approved DNS servers, then redirect it to a DNS proxy running on your NGFW. The following is a step-by-step guide to setting this up in your environment using Palo Alto Networks firewalls; similar actions may be possible with other brands of firewalls but has not been tested.

  1. Begin by creating a loopback interface in a zone accessible to all your clients

2. Next create DNS address and address-group objects

3. Create a DNS Proxy object

4. Create the following NAT policies

  • No NAT for corporate approved DNS servers
  • NAT for UDP DNS
  • NAT for TCP DNS (only if your environment supports it)

5. Now write security policies blocking the following app-ids to any destination in any zone on any port that isn’t your corporate approved DNS servers

  • dns
  • dnscrypt
  • dns-over-tls
  • tcp-over-dns
  • dns-over-https

6. You may also need to write security policies allowing dns traffic to your corporate approved DNS servers

7. If successful you should see traffic similar to the below in your traffic logs when a client uses Google, Cloudflare, or other non-approved DNS servers

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s