In a typical network level CleanBrowsing deployment, pointing DNS to CleanBrowsing alone may not be sufficient to enforce CleanBrowsing protections. Savvy users may attempt to bypass CleanBrowsing by changing the DNS settings on their machines or using encrypted DNS technologies like DOH.
This article discusses ways to lock down your network to prevent any other DNS service from being used to bypass CleanBrowsing settings and protection.
Mitigating Local DNS Changes
The most effective solution to blocking DNS changes locally on a device is to force DNS on your network. Most routers and firewalls will allow you to force all DNS traffic over port 53 on the router, thus requiring everyone on the network to use the DNS settings defined on the router.
Using this mechanism allows you to forward all DNS traffic to you preferred DNS resolver.
While all routers are different, you are looking to create a rule that only allows DNS (TCP / UDP) traffic to go to the CleanBrowsing IP’s we issue in your account. The rule will look something like this:
ALLOW TCP/UDP IN/OUT to 185.228.168.xxx or 185.228.169.xxx on Port 53
BLOCK TCP/UDP IN/OUT all IP addresses on Port 53 The first rule trumps the second rule, so anything requests to Umbrella are allowed but any DNS requests to any other IP are blocked.
Depending on your firewall configuration interface, you may need to configure a separate rule for each of these protocols or one rule which covers them both. The rule can be applied on either the firewall or the router, but normally is best placed on the device most at network edge. A similar rule could be applied to software firewalls installed on a workstation as well, such as the built-in firewall on Windows or Mac OS/X.
Alternatively, here is how you would do something similar if working with Linux IPTables:
# Flush existing iptables rules (optional, use with caution)
sudo iptables -F
# Block DNS traffic to unwanted resolver
sudo iptables -A OUTPUT -p udp --dport 53 -d 1.2.3.4 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 53 -d 1.2.3.4 -j DROP
# Redirect DNS traffic to desired resolver
sudo iptables -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 185.228.168.XXX:53
sudo iptables -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 185.228.168.XXX:53
Mitigating DOH Evasion Attempts
Encrypted DNS (DOH and DOT) is a reality that all network administrators have to deal with. With all the good it brings, it also introduces challenges that include limiting our defensive controls and ability to control what is and is not accessed on our networks. It’s further complicated because it moves networking technology from the device up the stack into applications like browsers and apps.
To help address this, you must take additional steps to enhance your existing controls to account for encrypted technologies.
Addressing DOH
CleanBrowsing supports the “use-application-dns.net” domain as defined by Mozilla to prevent Firefox from enabling DoH by default. We additionally identify and categorize all DoH servers in our “Proxy / VPN” category.
While we block DoH domains, some resolvers allow users to resolve directly off their IP. To mitigate this, we recommend creating Firewall rules that block the most prevalent DOH ranges that allow IP’s to be accessed directly. Here are the most common:
1.0.0.0/8
8.8.0.0/16
9.9.0.0/16
149.112.112.0/24
149.112.121.0/24
45.90.28.0/24
45.90.28.30/24Addressing DOT
In addition to blocking all alternate DNS providers and DoH, DNS may still be bypassed over TLS. This uses the RFC7858 standard over port 853. One example of a DoT provider is CloudFlare.
Here is an example of how to block a DoT provider:
Block 1.1.1.1 and 1.0.0.1: port 853 (CloudFlare)Mitigating VPN Evasion Attempts
Blocking VPN connections at the network level can be challenging because VPN traffic can be disguised to look like regular HTTPS traffic. You must augment your DNS filtering with Firewall rules to effectively mitigate VPN evasions.
Within your CleanBrowsing dashboard you can enable the “Proxy & VPNs” category to block domains used by VPN providers.
Additionally, you want to configure your Firewall to block common VPN protocols and ports. Every router / gateway is different, but here are common protocols and associated ports to add to your edge:
| Protocol | Ports | Description |
|---|---|---|
| OpenVPN | By default, OpenVPN uses UDP port 1194, but it can be configured to use TCP on port 443 for better compatibility with restrictive networks. | OpenVPN is an open-source VPN protocol known for its flexibility and security. |
| IPsec (Internet Protocol Security) | UDP ports 500 (IKE) and 4500 (NAT-T) for IKEv1 and IKEv2. ESP (Encapsulating Security Payload) protocol for the actual encrypted data, which doesn’t have a specific port but is typically encapsulated within UDP or TCP packets. | IPsec is a suite of protocols used for secure IP communications, typically employed in site-to-site VPNs and remote access VPNs. |
| L2TP/IPsec (Layer 2 Tunneling Protocol over IPsec) | L2TP uses UDP port 1701 for tunneling, while IPsec uses UDP ports 500 and 4500 for IKE negotiation and ESP for data transmission. | L2TP/IPsec is a combination of L2TP for tunneling and IPsec for encryption/authentication. |
| PPTP (Point-to-Point Tunneling Protocol) | PPTP uses TCP port 1723 for control messages and GRE (Generic Routing Encapsulation) protocol 47 for data transmission. | PPTP is an older VPN protocol known for its simplicity but considered less secure than newer alternatives. |
| SSTP (Secure Socket Tunneling Protocol) | SSTP uses TCP port 443, making it difficult to distinguish from regular HTTPS traffic and often used in environments where other VPN protocols are blocked. | SSTP is a VPN protocol developed by Microsoft for Windows-based systems. |
| WireGuard | Typically uses a single UDP port for communication. The default port used by WireGuard is 51820, but this can be configured during setup. | A relatively newer VPN protocol known for its simplicity, speed, and modern cryptographic design. |
Here is an example of how you might block these protocols via a Firewall like IPTables:
# Block OpenVPN traffic
sudo iptables -A OUTPUT -p udp --dport 1194 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 1194 -j DROP
# Block WireGuard traffic
sudo iptables -A OUTPUT -p udp --dport 51820 -j DROP
# Block IKEv2/IPsec traffic
sudo iptables -A OUTPUT -p udp --dport 500 -j DROP
sudo iptables -A OUTPUT -p udp --dport 4500 -j DROP
# Block L2TP/IPsec traffic
sudo iptables -A OUTPUT -p udp --dport 1701 -j DROP
# Block SSTP traffic
sudo iptables -A OUTPUT -p tcp --dport 443 -j DROPMitigating VPN evasion attempts requires time, technology and patience. Read more to learn how to create a holistic strategy to blocking VPN on your network.