Prevent DNS Work-Around for Users

Prevent DNS Work-Around for Users

Some users on your network may attempt to bypass ScoutDNS resolvers by changing the DNS servers in their device network settings. This can lead to unauthorized content access on network assets and increase security risks. Fortunately, DNS bypassing can be prevented with proper firewall rules and network configuration.

Setting a network-wide DNS configuration will prevent most users from bypassing the system. Most routers and firewalls allow you to force all DNS traffic through port 53. Additionally, you can create firewall rules that allow only ScoutDNS resolvers while blocking all others.

Firewall Rules

While exact commands may vary depending on your device, you essentially want to create rules like this:

ALLOW TCP/UDP IN/OUT to xxx.xxx.xxx.xxx on Port 53

and

BLOCK TCP/UDP IN/OUT all IP addresses on Port 53

On some firewalls, you may need to create separate rules for each protocol instead of a single rule for both.

 

Due to the vast number of devices on the market, ScoutDNS cannot provide support for specific firewalls or routers. Please consult your device manufacturer for assistance.

 

 


    • Related Articles

    • Configure AD (Active Directory) Policies

      ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...

    • Mixing DNS Providers

      It is generally not recommended to mix DNS providers. Most routers and systems randomly select which DNS server receives each packet, which can lead to issues with filtering and reporting due to mixed rules in the system cache. To avoid these ...

    • Add System Users - Role Based Access

      ScoutDNS supports role-based access, allowing multiple operators within a single account to access the system. This article describes how to configure role-based access directly in ScoutDNS. To configure and manage role-based access from Entra ID ...

    • Quick Start Setup Guide - WAN Forwarding

      There are three methods you can use to protect your networks and users with ScoutDNS: 1) WAN Forwarding – This method involves configuring ScoutDNS with your WAN IP address and forwarding DNS queries from inside your network to our anycast resolver ...

    • DNS IPs List

      ScoutDNS operates a global Anycast network for improved resiliency and performance. All resolver IP addresses can be found within the application under the Help Icon > IPs list ScoutDNS operates a closed, private resolver network for enhanced ...

    • Popular Articles

    • Working with Whitelist and Blacklist

      At times, it may be helpful to fully block or allow a domain based on your desired outcome. The White/Black List tab allows you to create and manage custom block and allow lists. You can associate these lists with all policies (global) or assign them ...

    • Quick Start Setup Guide - WAN Forwarding

      There are three methods you can use to protect your networks and users with ScoutDNS: 1) WAN Forwarding – This method involves configuring ScoutDNS with your WAN IP address and forwarding DNS queries from inside your network to our anycast resolver ...

    • Content Categories

      Below is a list of Content Categories and their descriptions. Adult Abortions These are sites that present arguments either in favor of or against abortion. This includes information on abortion procedures, sites that offer assistance in obtaining ...

    • Mixing DNS Providers

      It is generally not recommended to mix DNS providers. Most routers and systems randomly select which DNS server receives each packet, which can lead to issues with filtering and reporting due to mixed rules in the system cache. To avoid these ...

    • Dynamic IP Setup

      ScoutDNS supports dynamic DNS IP address integration with most dynamic DNS providers. Popular Dynamic DNS solutions include: No-IP ChangeIP DynDNS FreeDNS Once you have an account with one of these or a similar solution, you can configure ScoutDNS to ...

    • Recent Articles

    • Applications Categories - Zero Trust App Management

      The ScoutDNS Application Policy sub-tab lets you block whole groups of web applications while still allowing specific apps through an allow list. It covers tens of thousands of domains and supports a zero-trust security approach. For example, you can ...

    • Configure Entra ID based Policies

      ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...

    • Setup and Use Guide for MSPs

      ScoutDNS is built for Managed Service Providers (MSPs) to deliver robust DNS protection to their customers and end users. Setup is straightforward, thanks to our object-based configuration approach. Here is a brief outline of what this guide covers. ...

    • Configure AD (Active Directory) Policies

      ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...

    • Configurable Objects and Their Associations

      ScoutDNS is designed with an object-based configuration model to simplify management and large-scale deployment. In this article, we will explore the various configurable objects and their associations. Allow/Block List Allow/Block List Description ...