Prevent DNS Work-Around for Users

Prevent DNS Work-Around for Users

Some users on your network may attempt to bypass ScoutDNS resolvers by changing the DNS servers in their device network settings. This can lead to unauthorized content access on network assets and increase security risks. Fortunately, DNS bypassing can be prevented with proper firewall rules and network configuration.

Setting a network-wide DNS configuration will prevent most users from bypassing the system. Most routers and firewalls allow you to force all DNS traffic through port 53. Additionally, you can create firewall rules that allow only ScoutDNS resolvers while blocking all others.

Firewall Rules

While exact commands may vary depending on your device, you essentially want to create rules like this:

ALLOW TCP/UDP IN/OUT to xxx.xxx.xxx.xxx on Port 53

and

BLOCK TCP/UDP IN/OUT all IP addresses on Port 53

On some firewalls, you may need to create separate rules for each protocol instead of a single rule for both.

 

Due to the vast number of devices on the market, ScoutDNS cannot provide support for specific firewalls or routers. Please consult your device manufacturer for assistance.

 

 


    • Related Articles

    • Configure AD (Active Directory) Polices

      ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...

    • Mixing DNS Providers

      It is generally not recommended to mix DNS providers. Most routers and systems randomly select which DNS server receives each packet, which can lead to issues with filtering and reporting due to mixed rules in the system cache. To avoid these ...

    • Add System Users - Role Based Access

      ScoutDNS supports role-based access, allowing multiple operators within a single account to access the system. This article describes how to configure role-based access directly in ScoutDNS. To configure and manage role-based access from Entra ID ...

    • Quick Start Setup Guide - WAN Forwarding

      There are three methods you can use to protect your networks and users with ScoutDNS: 1) WAN Forwarding – This method involves configuring ScoutDNS with your WAN IP address and forwarding DNS queries from inside your network to our anycast resolver ...

    • DNS IPs List

      ScoutDNS operates a global Anycast network for improved resiliency and performance. All resolver IP addresses can be found within the application under the Help Icon > IPs list ScoutDNS operates a closed, private resolver network for enhanced ...