I'm toning down some of our NAC enforcement in favor of trying to find other ways to secure the network (lots of users on BYOD don't like to install a 3rd party client to monitor their device). One of the things we were doing was to check for proper DNS settings. We block external DNS in favor of using several sets of internal servers so that our BYOD users still have access to internal services that aren't available on the public Internet. We're also interested in possibly using a DNS security service at some point so keeping DNS queries internal seems like a good policy still.
I had originally thought to catch the DNS queries on the way out the firewall and then somehow provide a notification to the user that they need to set their DNS settings to Obtain Automatically from DHCP. I thougth I had figured out how to do this at some point but, for the life of me, I can't remember what I was going to do. Blocking, obviously, is no problem but is there any way to provide from the firewall to provide a notice to the end user without them running GlobalProtect or something? For an application block like Facebook, the browser is open and intigating the app usage but DNS happens a lot behind the scenes and I wasn't sure if there was a way to display the notification.
Just a thought... would the entire operation be smoother if you just forwarded all DNS requests to your internal boxes via NAT policies...?
Possibly and it is certainly something to consider. I'm not sure how many of these devices are using anything like DNSSEC. The worst part would be that I'd probably have to do a hairpin NAT since the servers reside on the same area of the network as the users I want to do this for so I'd have to adjust both source and destination IPs.
Another alternative might be to spoof the IP addresses on the DNS servers themselves so that they respond to queries to 220.127.116.11 and 18.104.22.168 but I'm not sure if that is considered bad practice.
spoofing would work but of course this would need to be routable.... also... if you are using google as a forwarder for external dennis then big fail. Not to mention RFC1918 blahdy blah........
The NAT will only need to setup once and then left alone, no security policy required as interzoney stuff...
PAN knows this as a U-Turn NAT.
helpful link here....
There is no method to return a display to the user that their DNS settings need to be updated.
The NAT idea is interesting and maybe the best option besides expecting your users to eventually figure it out.
I would certainly not use spoofing - and it wouldnt resolve the overall problem. Sure, Google's DNS servers are probably the most popular but there are infinite other options people could use that would break.
Personally, I would just publish the policy that you don't accept static IP (or DNS) configurations and let users figure it out. But obviously, every organization is different.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!