Force DNS clients must use behind PIX firewall

I am trying to ensure that regardless of what DNS server clients may
have specified in thier IP properties, that my internal DNS server is
ALWAYS the one that gets used. A memeber of another forum suggested
the following...

route-map dns-redirect permit 10
match ip address 110
set ip next-hop 192.168.0.8

access-list 110 deny tcp any any neq dns
access-list 110 deny tcp host 192.168.0.8 any
access-list 110 permit tcp any any

int fa0/0
ip policy route-map dns-redirect

....I get the idea, but it doesn't work - and as I understand it
route-map is only supported on the PIX for use in BGB routing?

How can I accomplish this on the PIX (if so) and if not, what is the
smallest/cheapest router that can do this? I am open to any
suggestions, or config changes, keep in mind I'll need to place the
router on the INSIDE PIX interface so this route-map rule doesn't mess
up lookups comming from the internal DNS server to an external DNS
server (My ISPs/DNS Forwarders)

This is intentionally the way I want to do it, unfortunatly I cannot
enforce that users (lots who are clever, and local admin of thier
machines) use my internal DNS server as handed out via DHCP.

 

It would be simpler to block all outbound DNS traffic except that
coming from your DNS:

interface FastEthernet 0/0
ip access-group DNS out

ip access-list extended DNS
permit udp host <your-dns-ip> any domain
permit tcp host <your-dns-ip> any domain
deny udp any any domain
deny tcp any any domain
permit ip any any

If you've got your heart set on hiding the fact that they're using your
DNS, maybe you could put it on the outside, or another interface if you
have more than one and NAT port 53 (UDP and TCP) to your server's IP
address.

For my education, could you say why it is important to prevent your
users from accessing another DNS?

 

We have some people at a company who apparently have lots of free time,
are not too bright, or are and looking for an excuse to get out of
doing work. Naturally my first solution was to fire those people, but
clearly I'm in IT and not cut-out for mangement, whatever.

They have stumbled upon opendns.com or put thier DNS servers from home
in thier TCP/IP properties, then they call the help desk complaining
they can't access internal network resources, or reach the intranet
site, but they can surf the web just fine. Of course they try to make
this into a big deal that the outside IT consultant is at fault, and
some of them would like to play IT guy themselves - then it would be
totally non-productive free-reign havoc for all of thier friends.

I have done what you suggested, block TCP/UDP outbound on port 53 from
everything except our internal DNS server - the problem is when they
change thier DNS to something else they are dead in the water (can't
surf anywhere), then I suspect they'll call the helpdesk, and have a
good 1-3 hour gap of basically saying they "can't work without the
Internet"

For ease of making a case against these people I want the internal DNS
to work regardless of what number they put in there. For one, our
internal DNS ( see http://www.dnsredirector.com ) filters out bad stuff
(ads, spyware, porn) and logs all activity, so I can plot a graph for
managers that they are surfing myspace and checking home email instead
of working. Because these users are all admins of thier own machines
and not always part of the Win2K3 AD (another IT suggestion that went
ignored) I can't enforce a policy on thier machines to always use the
internal DNS servers, or to lock them out of changing IP properties -
which is what I really wanted to do.

I think this "feature" of forcing all DNS queries to an internal server
I specify is needed for the reason I describe above, but here's
another....

Lets say a clever and disgruntaled employee decides to run his own DNS
at home, or wherever, and gets several co-workers to change thier DNS
to his. But he makes it so hotmail.com, paypal.com, myspace.com, etc.
resolve to his own look-alike site (similar to a phishing scam) and
basically steals everyone's username/passwords.

So... How can I force all DNS queries to go to the internal DNS
server(s) that I specify. Currently, I only have a PIX firewall
running 6.3 - but I would be willing to add a router, or PIX running
7.2 if I knew I could accomplish this.

 

Use group policy and not allow end users to change IP settings and be
done with it.

 

JPElectron does not have the authority for that; JPElectron has
stated that a number of the end users have the administrator passwords
for their machines, and that management did not accept centralizing
control on a Windows AD server.

 

I have a similar situation where I want to block all IM. I've been partially
successful by using DNS spoofing to block AIM and Microsoft Live Messenger
(not to be confused with Windows Messenger). It works great and fortunately
my users aren't all that tech savvy, but sooner or later someone will learn
how to change their DNS servers.

If I had a router inside of the PIX, or was using the Router IOS firewall,
or maybe the ASA I could redirect all DNS request to my internal server,
which points the chosen web request to a fun page that says "A Significant
Security Fault Has Been Detected With Your System. Contact Your Network
Administrator Immediately" I love it when they try to explain that they
weren't using aimexpress.com

I understand the posters situation, he needs to make sure DNS works but
needs to prevent some web sites.

I've used Cisco's Access Control Server and Computer Associates Secure
Content Manager for this. I like the CA SCM because it will produce reports
and you can block access based on key word weights, and their prepopulated
templates are pretty good.

--
RC
rcohen_at_cominc_dot_net

The only thing I guaranty about my free advice is that it's mine and it's
free.

 

no suggestions on how to accomplish this with route-map or other
equipment?

 

route-map is only for OSPF purposes in PIX 6 and 7.0, 7.1, 7.2.

If you were to put your DNS server onto a DMZ or outside the LAN,
you could try a policy static with a "reverse NAT";

access-list all_outbound_dns permit udp any any eq 53
access-list all_outbound_dns permit tcp any any eq 53

static (dmz,inside) REMAPPEDIP access-list all_outbound_dns

with this, any packet hitting the inside interface that matches
all_outbound_dns will have its *destination* address rewritten
to REMAPPEDIP on the DMZ.


You will *not* be able to reroute inside packets to a server that is
on the inside -- not possible in PIX 6. In PIX 7, it would not be
completely impossible, but it would require setting up a VPN tunnel
between the inside interface of the PIX and the DNS server
(the DNS server or a device in front of it would have to terminate
the VPN tunnel): that's the only way to redirect packets from
the inside back towards in the inside in PIX 7.0, 7.1, 7.2.