Force DNS clients must use behind PIX firewall

I am trying to ensure that regardless of what DNS server clients may have specified in thier IP properties, that my internal DNS server is ALWAYS the one that gets used. A memeber of another forum suggested the following...

route-map dns-redirect permit 10 match ip address 110 set ip next-hop 192.168.0.8

access-list 110 deny tcp any any neq dns access-list 110 deny tcp host 192.168.0.8 any access-list 110 permit tcp any any

int fa0/0 ip policy route-map dns-redirect

...I get the idea, but it doesn't work - and as I understand it route-map is only supported on the PIX for use in BGB routing?

How can I accomplish this on the PIX (if so) and if not, what is the smallest/cheapest router that can do this? I am open to any suggestions, or config changes, keep in mind I'll need to place the router on the INSIDE PIX interface so this route-map rule doesn't mess up lookups comming from the internal DNS server to an external DNS server (My ISPs/DNS Forwarders)

This is intentionally the way I want to do it, unfortunatly I cannot enforce that users (lots who are clever, and local admin of thier machines) use my internal DNS server as handed out via DHCP.

Reply to
JPElectron
Loading thread data ...

It would be simpler to block all outbound DNS traffic except that coming from your DNS:

interface FastEthernet 0/0 ip access-group DNS out

ip access-list extended DNS permit udp host any domain permit tcp host any domain deny udp any any domain deny tcp any any domain permit ip any any

If you've got your heart set on hiding the fact that they're using your DNS, maybe you could put it on the outside, or another interface if you have more than one and NAT port 53 (UDP and TCP) to your server's IP address.

For my education, could you say why it is important to prevent your users from accessing another DNS?

Reply to
erik.freitag

We have some people at a company who apparently have lots of free time, are not too bright, or are and looking for an excuse to get out of doing work. Naturally my first solution was to fire those people, but clearly I'm in IT and not cut-out for mangement, whatever.

They have stumbled upon opendns.com or put thier DNS servers from home in thier TCP/IP properties, then they call the help desk complaining they can't access internal network resources, or reach the intranet site, but they can surf the web just fine. Of course they try to make this into a big deal that the outside IT consultant is at fault, and some of them would like to play IT guy themselves - then it would be totally non-productive free-reign havoc for all of thier friends.

I have done what you suggested, block TCP/UDP outbound on port 53 from everything except our internal DNS server - the problem is when they change thier DNS to something else they are dead in the water (can't surf anywhere), then I suspect they'll call the helpdesk, and have a good 1-3 hour gap of basically saying they "can't work without the Internet"

For ease of making a case against these people I want the internal DNS to work regardless of what number they put in there. For one, our internal DNS ( see

formatting link
) filters out bad stuff (ads, spyware, p*rn) and logs all activity, so I can plot a graph for managers that they are surfing myspace and checking home email instead of working. Because these users are all admins of thier own machines and not always part of the Win2K3 AD (another IT suggestion that went ignored) I can't enforce a policy on thier machines to always use the internal DNS servers, or to lock them out of changing IP properties - which is what I really wanted to do.

I think this "feature" of forcing all DNS queries to an internal server I specify is needed for the reason I describe above, but here's another....

Lets say a clever and disgruntaled employee decides to run his own DNS at home, or wherever, and gets several co-workers to change thier DNS to his. But he makes it so hotmail.com, paypal.com, myspace.com, etc. resolve to his own look-alike site (similar to a phishing scam) and basically steals everyone's username/passwords.

So... How can I force all DNS queries to go to the internal DNS server(s) that I specify. Currently, I only have a PIX firewall running 6.3 - but I would be willing to add a router, or PIX running

7.2 if I knew I could accomplish this.
Reply to
JPElectron

Use group policy and not allow end users to change IP settings and be done with it.

Reply to
George W. Bush

JPElectron does not have the authority for that; JPElectron has stated that a number of the end users have the administrator passwords for their machines, and that management did not accept centralizing control on a Windows AD server.

Reply to
Walter Roberson

I have a similar situation where I want to block all IM. I've been partially successful by using DNS spoofing to block AIM and Microsoft Live Messenger (not to be confused with Windows Messenger). It works great and fortunately my users aren't all that tech savvy, but sooner or later someone will learn how to change their DNS servers.

If I had a router inside of the PIX, or was using the Router IOS firewall, or maybe the ASA I could redirect all DNS request to my internal server, which points the chosen web request to a fun page that says "A Significant Security Fault Has Been Detected With Your System. Contact Your Network Administrator Immediately" I love it when they try to explain that they weren't using aimexpress.com :-)

I understand the posters situation, he needs to make sure DNS works but needs to prevent some web sites.

I've used Cisco's Access Control Server and Computer Associates Secure Content Manager for this. I like the CA SCM because it will produce reports and you can block access based on key word weights, and their prepopulated templates are pretty good.

Reply to
RC

no suggestions on how to accomplish this with route-map or other equipment?

Reply to
JPElectron

route-map is only for OSPF purposes in PIX 6 and 7.0, 7.1, 7.2.

If you were to put your DNS server onto a DMZ or outside the LAN, you could try a policy static with a "reverse NAT";

access-list all_outbound_dns permit udp any any eq 53 access-list all_outbound_dns permit tcp any any eq 53

static (dmz,inside) REMAPPEDIP access-list all_outbound_dns

with this, any packet hitting the inside interface that matches all_outbound_dns will have its *destination* address rewritten to REMAPPEDIP on the DMZ.

You will *not* be able to reroute inside packets to a server that is on the inside -- not possible in PIX 6. In PIX 7, it would not be completely impossible, but it would require setting up a VPN tunnel between the inside interface of the PIX and the DNS server (the DNS server or a device in front of it would have to terminate the VPN tunnel): that's the only way to redirect packets from the inside back towards in the inside in PIX 7.0, 7.1, 7.2.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.