4 Replies Latest reply on Apr 7, 2016 8:05 PM by jayh

    I need a sample config for Netvanta 3448  on how to create a false dns server to block google instead of using websense?

    srk2016 New Member

      I am trying to set a firewall settings and I am looking for a way to block some Https sites.

        • Re: I need a sample config for Netvanta 3448  on how to create a false dns server to block google instead of using websense?
          petersjncv Visitor

          I am not sure about "false" DNS server, but you can configure your 3448 to be your primary DNS server and then enter some dummy host records to perhaps redirect that traffic to somewhere null.  You can't point it to 0.0.0.0 though, so I would say point it to some private IP that isn't in use (or even exists) in your local network

           

          host "www.google.com" 172.16.1.1

          domain-proxy

           

          ip dhcp pool "LAN_NET"

            network 192.168.75.0 255.255.255.0

            dns-server 192.168.75.1

            netbios-node-type h-node

            default-router 192.168.75.1

            lease 30

           

           

          Advanced Configuration and Troubleshooting DNS Lookup and DNS Proxy in AOS

          • Re: I need a sample config for Netvanta 3448  on how to create a false dns server to block google instead of using websense?
            jcrabtreetol New Member

            Not in front of a System to get the code, I'll reply back but here is the narrative.

             

            So for this you want to follow the Allow and then Deny method.

            We do this all the time for Websense and OpenDNS Services.

            In your LAN Policy you will want to create an outbound rule that allows UDP 53 to allow to your Websense External IPs or the OpenDNS Anycast IPs.

            Once the Allow is set then that rule will now be used and stop there once matched.

            the very following rule will be a Deny UDP 53 to ANY.

            Now anyone that tries to use DNS that is not set in your allow will be denied.

            We also do this for Hardend networks where we only allow explicit traffic out such as HTTPS/HTTP/Etc

            • Re: I need a sample config for Netvanta 3448  on how to create a false dns server to block google instead of using websense?
              jcrabtreetol New Member

              OK Here is what you will want in your Config.

              Under your IP Access-List Policies you will want the following. (The IPs I used are OpenDNS Anycast, just adjust to match your websense, remember everything is top down flow)

               

              ip access-list extended DNS-ACL

                remark DNS_Policy

                permit udp any  host 208.67.220.220 eq domain    log

                permit udp any  host 208.67.222.222 eq domain    log

                deny   udp any  any eq domain    log

               

              Now in your Policy Class for your Private Zone, normally this is just called private. you will add your ACL Match Line.

              Likely under the header "ip policy-class Private"

               

                nat source list DNS-ACL interface eth 0/1 overload policy Public

               

              Make sure This Line is above your all out, if you happen to use an All Out which we find all the time and that is how you wish to operate. You do not require the Public at the end of that line, I just declare when I am passing traffic to the Public Policy.

               

              Let me know if you have any issues or need more help. If you can post your config with sensitive details scrubbed or changed is fine.

               

              Just for those who are curious how this works.

              We have the ACL (access list) We are saying if traffic from anyone that matches the packets to UDP 53 (DNS) to host x.x.x.x (in my example above it is either 208.67.220.220 or 208.67.222.222) to Permit the traffic.

              Then the last line if the above two are not matched deny the traffic, so the DNS will be dropped and not allowed.

              When then set this Policy in your Private Class before your Any Out. So the traffic is matched before your Any out and will either be allowed or denied. Doesn't matter that you have an any because we have denied it before those rules are matched.

              Most routers operate in a First match use configuration. If you match the policy that is what we do and we look no further. Makes the logic process easy.

               

              Hope I helped

              -John

              • Re: I need a sample config for Netvanta 3448  on how to create a false dns server to block google instead of using websense?
                jayh Hall_of_Fame

                John Gilmore - Wikiquote

                 

                Pretty much as true today as in 1993 if people are determined.

                 

                However:

                 

                ip domain-proxy

                 

                host google.com 127.0.0.1

                host www.google.com 127.0.0.1


                may slow folks down a bit.