topic Re: DNS Block and Notification on Specific Networks in General Topics

DNS Block and Notification on Specific Networks

jsalmans — Tue, 13 Aug 2019 15:50:47 GMT

Greetings all,

I'm toning down some of our NAC enforcement in favor of trying to find other ways to secure the network (lots of users on BYOD don't like to install a 3rd party client to monitor their device). One of the things we were doing was to check for proper DNS settings. We block external DNS in favor of using several sets of internal servers so that our BYOD users still have access to internal services that aren't available on the public Internet. We're also interested in possibly using a DNS security service at some point so keeping DNS queries internal seems like a good policy still.

I had originally thought to catch the DNS queries on the way out the firewall and then somehow provide a notification to the user that they need to set their DNS settings to Obtain Automatically from DHCP. I thougth I had figured out how to do this at some point but, for the life of me, I can't remember what I was going to do. Blocking, obviously, is no problem but is there any way to provide from the firewall to provide a notice to the end user without them running GlobalProtect or something? For an application block like Facebook, the browser is open and intigating the app usage but DNS happens a lot behind the scenes and I wasn't sure if there was a way to display the notification.

Thanks!

Re: DNS Block and Notification on Specific Networks

Mick_Ball — Wed, 14 Aug 2019 06:20:23 GMT

Just a thought... would the entire operation be smoother if you just forwarded all DNS requests to your internal boxes via NAT policies...?

Re: DNS Block and Notification on Specific Networks

jsalmans — Wed, 14 Aug 2019 12:54:12 GMT

@Mick_Ball wrote:
Just a thought... would the entire operation be smoother if you just forwarded all DNS requests to your internal boxes via NAT policies...?

Possibly and it is certainly something to consider. I'm not sure how many of these devices are using anything like DNSSEC. The worst part would be that I'd probably have to do a hairpin NAT since the servers reside on the same area of the network as the users I want to do this for so I'd have to adjust both source and destination IPs.

Another alternative might be to spoof the IP addresses on the DNS servers themselves so that they respond to queries to 8.8.8.8 and 8.8.4.4 but I'm not sure if that is considered bad practice.

Re: DNS Block and Notification on Specific Networks

Mick_Ball — Wed, 14 Aug 2019 13:16:05 GMT

spoofing would work but of course this would need to be routable.... also... if you are using google as a forwarder for external dennis then big fail. Not to mention RFC1918 blahdy blah........

The NAT will only need to setup once and then left alone, no security policy required as interzoney stuff...

PAN knows this as a U-Turn NAT.

helpful link here....

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

Re: DNS Block and Notification on Specific Networks

TSilverline — Sun, 18 Aug 2019 01:57:54 GMT

There is no method to return a display to the user that their DNS settings need to be updated.

The NAT idea is interesting and maybe the best option besides expecting your users to eventually figure it out.

I would certainly not use spoofing - and it wouldnt resolve the overall problem. Sure, Google's DNS servers are probably the most popular but there are infinite other options people could use that would break.

Personally, I would just publish the policy that you don't accept static IP (or DNS) configurations and let users figure it out. But obviously, every organization is different.