DNS Controls

  • 1
  • Question
  • Updated 3 weeks ago
  • Answered
  • (Edited)
Hello,

Our WCF (Umbrella) relies on devices using specific DNS servers. Currently I am able to statically assign a DNS server and bypass this security. Is there a way to prevent clients from connecting if they have statically assigned a DNS server?

We are using R510 and R310 Unleashed.
Photo of Matthew S

Matthew S

  • 2 Posts
  • 0 Reply Likes

Posted 1 month ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 2637 Posts
  • 361 Reply Likes
We have a CLI WLAN configuration command "force-dhcp" which will disallow clients with a static IP, but I don't think we look at router-provided or client defined DNS hosts.
Photo of Tim Brumbaugh

Tim Brumbaugh

  • 11 Posts
  • 8 Reply Likes
Easy solution, block out bound DNS requests on your firewall port 53 outbound, only allow your dc's outbound on port 53 which you should do anyways as part of a good Cyber Security plan.

Photo of Michael Brado

Michael Brado, Official Rep

  • 2637 Posts
  • 361 Reply Likes
Thumb's Up!
Photo of Matthew S

Matthew S

  • 2 Posts
  • 0 Reply Likes
Thanks for the replies guys. Tim that's a great point. We have, currently, chosen not to deploy Firewalls though, since this is for our branch office public Guest networks and are entirely separated from our corporate network.
(Edited)
Photo of Tim Brumbaugh

Tim Brumbaugh

  • 11 Posts
  • 8 Reply Likes
If this is for your guest internet traffic I am a little confused.  Does it matter if you guest traffic uses a different / Public dns server to get to the internet.  If they are totally separated physically or via a vlan then I am not sure of the issue.  If it were me I always have control of any traffic wired or wireless within any of my infrastructure and always have firewalls in place even if it is just for guest traffic.  Client isolation is turned on and the quest traffic is on a DMZ.  I am a consultant and work with a lot of banks, schools and businesses and the amount of attacks has increased so much in the past couple of years that it has become a defacto standard  to deploy firewalls at any business site that has access to the internet, if you are not doing this your are setting yourself up for failure.  The hackers have turned their attention to the small and medium sized business as they have become more lucrative and easier to hack either via lack of security standards, phishing or social engineering and we don't do any managed customers with out certain standards in place period.