Prevent DNS Work-Around for Users

Prevent DNS Work-Around for Users

Some users on your network may try to bypass ScoutDNS resolvers by changing the DNS servers in their device network settings when allowed. This can result in undesired content access on network assets along with increased security risk. The good news is that DNS bypassing can be prevented with proper firewall rules and network configuration.

 

Setting DNS configuration network wide will prevent most users from trying to bypass the system. Most routers and firewalls allow you to force all DNS traffic over port 53 on the router/firewall. In additional you can create firewall rules that allow only ScoutDNS resolvers while blocking all others.

 

Firewall Rules

While exact commands may vary based on device you essentially want to create rules like this:

ALLOW TCP/UDP IN/OUT to xxx.xxx.xxx.xxx on Port 53

and

BLOCK TCP/UDP IN/OUT all IP addresses on Port 53

 

On some firewalls you may have to create a separate rule for each protocol instead of one for both.

 

Due to the huge number of devices on the market, ScoutDNS is unable to provide support for your specific firewall/router. Please consult your manufacturer if you require assistance. 

 

 


    • Related Articles

    • Configure AD (Active Directory) Polices

      ScoutDNS supports policy by user groups as synced from Active Directory. This can be helpful when admins desire policy decisions to follow the user regardless of the device and device profile in use. This guide walks through how ScoutDNS performs the ...

    • Mixing DNS Providers

      It is generally not recommended to mix DNS providers. Most routers and systems will randomly select which DNS server receives which packets. This will certainly cause problems in both filtering and reporting due to mixed rules in system cache. This ...

    • Add System Users - Role Based Access

      ScoutDNS supports Role Based Access allowing multiple operators within a single account to access the system. Roles There are three possible roles in any account. Super Admin: One per account. Can create and remove and users. Has access to create, ...

    • Quick Start Setup Guide - WAN Forwarding

      There are three methods you can use to protect your networks and users with ScoutDNS. 1) WAN Forwarding: involves configuring ScoutDNS with your WAN IP address and then forwarding DNS queries from inside your network us our anycast resolver IPs. ...

    • DNS IPs List

      ScoutDNS operates a global anycast network for resiliency and performance. All resolver IP addresses can be found within the application under the Help Icon > IPs list ScoutDNS maintains a closed/private resolver network for security and performance. ...