Force DNS clients must use behind PIX firewall

Discussion in 'Cisco' started by JPElectron, Nov 12, 2006.

  1. JPElectron

    JPElectron Guest

    I am trying to ensure that regardless of what DNS server clients may
    have specified in thier IP properties, that my internal DNS server is
    ALWAYS the one that gets used. A memeber of another forum suggested
    the following...

    route-map dns-redirect permit 10
    match ip address 110
    set ip next-hop

    access-list 110 deny tcp any any neq dns
    access-list 110 deny tcp host any
    access-list 110 permit tcp any any

    int fa0/0
    ip policy route-map dns-redirect

    ....I get the idea, but it doesn't work - and as I understand it
    route-map is only supported on the PIX for use in BGB routing?

    How can I accomplish this on the PIX (if so) and if not, what is the
    smallest/cheapest router that can do this? I am open to any
    suggestions, or config changes, keep in mind I'll need to place the
    router on the INSIDE PIX interface so this route-map rule doesn't mess
    up lookups comming from the internal DNS server to an external DNS
    server (My ISPs/DNS Forwarders)

    This is intentionally the way I want to do it, unfortunatly I cannot
    enforce that users (lots who are clever, and local admin of thier
    machines) use my internal DNS server as handed out via DHCP.
    JPElectron, Nov 12, 2006
    1. Advertisements

  2. JPElectron

    erik.freitag Guest

    It would be simpler to block all outbound DNS traffic except that
    coming from your DNS:

    interface FastEthernet 0/0
    ip access-group DNS out

    ip access-list extended DNS
    permit udp host <your-dns-ip> any domain
    permit tcp host <your-dns-ip> any domain
    deny udp any any domain
    deny tcp any any domain
    permit ip any any

    If you've got your heart set on hiding the fact that they're using your
    DNS, maybe you could put it on the outside, or another interface if you
    have more than one and NAT port 53 (UDP and TCP) to your server's IP

    For my education, could you say why it is important to prevent your
    users from accessing another DNS?
    erik.freitag, Nov 12, 2006
    1. Advertisements

  3. JPElectron

    JPElectron Guest

    We have some people at a company who apparently have lots of free time,
    are not too bright, or are and looking for an excuse to get out of
    doing work. Naturally my first solution was to fire those people, but
    clearly I'm in IT and not cut-out for mangement, whatever.

    They have stumbled upon or put thier DNS servers from home
    in thier TCP/IP properties, then they call the help desk complaining
    they can't access internal network resources, or reach the intranet
    site, but they can surf the web just fine. Of course they try to make
    this into a big deal that the outside IT consultant is at fault, and
    some of them would like to play IT guy themselves - then it would be
    totally non-productive free-reign havoc for all of thier friends.

    I have done what you suggested, block TCP/UDP outbound on port 53 from
    everything except our internal DNS server - the problem is when they
    change thier DNS to something else they are dead in the water (can't
    surf anywhere), then I suspect they'll call the helpdesk, and have a
    good 1-3 hour gap of basically saying they "can't work without the

    For ease of making a case against these people I want the internal DNS
    to work regardless of what number they put in there. For one, our
    internal DNS ( see ) filters out bad stuff
    (ads, spyware, porn) and logs all activity, so I can plot a graph for
    managers that they are surfing myspace and checking home email instead
    of working. Because these users are all admins of thier own machines
    and not always part of the Win2K3 AD (another IT suggestion that went
    ignored) I can't enforce a policy on thier machines to always use the
    internal DNS servers, or to lock them out of changing IP properties -
    which is what I really wanted to do.

    I think this "feature" of forcing all DNS queries to an internal server
    I specify is needed for the reason I describe above, but here's

    Lets say a clever and disgruntaled employee decides to run his own DNS
    at home, or wherever, and gets several co-workers to change thier DNS
    to his. But he makes it so,,, etc.
    resolve to his own look-alike site (similar to a phishing scam) and
    basically steals everyone's username/passwords.

    So... How can I force all DNS queries to go to the internal DNS
    server(s) that I specify. Currently, I only have a PIX firewall
    running 6.3 - but I would be willing to add a router, or PIX running
    7.2 if I knew I could accomplish this.
    JPElectron, Nov 12, 2006
  4. Use group policy and not allow end users to change IP settings and be
    done with it.
    George W. Bush, Nov 13, 2006
  5. JPElectron does not have the authority for that; JPElectron has
    stated that a number of the end users have the administrator passwords
    for their machines, and that management did not accept centralizing
    control on a Windows AD server.
    Walter Roberson, Nov 13, 2006
  6. JPElectron

    RC Guest

    I have a similar situation where I want to block all IM. I've been partially
    successful by using DNS spoofing to block AIM and Microsoft Live Messenger
    (not to be confused with Windows Messenger). It works great and fortunately
    my users aren't all that tech savvy, but sooner or later someone will learn
    how to change their DNS servers.

    If I had a router inside of the PIX, or was using the Router IOS firewall,
    or maybe the ASA I could redirect all DNS request to my internal server,
    which points the chosen web request to a fun page that says "A Significant
    Security Fault Has Been Detected With Your System. Contact Your Network
    Administrator Immediately" I love it when they try to explain that they
    weren't using :)

    I understand the posters situation, he needs to make sure DNS works but
    needs to prevent some web sites.

    I've used Cisco's Access Control Server and Computer Associates Secure
    Content Manager for this. I like the CA SCM because it will produce reports
    and you can block access based on key word weights, and their prepopulated
    templates are pretty good.


    The only thing I guaranty about my free advice is that it's mine and it's
    RC, Nov 13, 2006
  7. JPElectron

    JPElectron Guest

    no suggestions on how to accomplish this with route-map or other
    JPElectron, Nov 16, 2006
  8. route-map is only for OSPF purposes in PIX 6 and 7.0, 7.1, 7.2.

    If you were to put your DNS server onto a DMZ or outside the LAN,
    you could try a policy static with a "reverse NAT";

    access-list all_outbound_dns permit udp any any eq 53
    access-list all_outbound_dns permit tcp any any eq 53

    static (dmz,inside) REMAPPEDIP access-list all_outbound_dns

    with this, any packet hitting the inside interface that matches
    all_outbound_dns will have its *destination* address rewritten
    to REMAPPEDIP on the DMZ.

    You will *not* be able to reroute inside packets to a server that is
    on the inside -- not possible in PIX 6. In PIX 7, it would not be
    completely impossible, but it would require setting up a VPN tunnel
    between the inside interface of the PIX and the DNS server
    (the DNS server or a device in front of it would have to terminate
    the VPN tunnel): that's the only way to redirect packets from
    the inside back towards in the inside in PIX 7.0, 7.1, 7.2.
    Walter Roberson, Nov 16, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.