1. Home
  2. Tips & Tricks
  3. How To Block Local DNS Bypasses with Router Firewall Rules

How To Block Local DNS Bypasses with Router Firewall Rules

A common concern is how to address the issue of devices bypassing network controls by making local network changes on the device. The most obvious answer is to prevent those types of changes on the device. That being said, that’s not always possible for a network administrator (i.e., maybe you don’t own the device).

To combat this, we turn our focus to the network Firewall. You might have this as a separate appliance on your network or, more likely, it’s part of your router appliance. Regardless of where it sits, you likely have a network firewall and we can use that to create rules to control outbound requests.

This article will focus on how to prevent local bypass attempts by network users that try to manipulate their device settings. It will show you how to use a firewall to explicitly allow and block DNS specific traffic on a network. This example will use the Unifi DreamPro machine, but the principles and examples shown should be similar to what you find in other Firewall applications.

Video Tutorial Using the UniFi DreamPro Appliance

Block DNS Resolvers On a Network

Step 1. Log into your Firewall / Router

Every router is different, log into yours.

Step 2. Navigate to the Network Firewall settings.

Depending on your device, this can be anywhere but often found in the main navigation (possibly under ‘Security’).

In the Unifi DreamPro OS you will see something like this:

Step 3: Create Two Outbound Entries

What you’re looking to do is create two rules that control what is and is not allowed on your network.

Allow CleanBrowsing DNS Resolver

Via the DreamPro console you have the option to create simple and advanced rules.

Using the simple rules, create an entry that looks like something like this:

ActionAllowed
SourceDefault Network
DestinationInclude your preferred Resolver Address (e.g., CleanBrowsing)

It will look like this:

Block Unapproved DNS Resolver

Now we create an outbound rule that blocks DNS queries that are not using our preferred resolver.

Using the same Simple interface, we do something like this:

ActionBlock
SourceDefault Network
DestinationIP Address

Example:

IP Address: 1.1.1.1
Port: 53

Enter all the DNS resolvers you want to block. We provide a list of common resolvers below.

It would look something like this:

When it’s done it will look something like this:

Additional Information: Commonly Used DNS Resolvers

Here is a quick list of commonly used DNS resolvers and their corresponding IP addresses:

ProviderPrimary DNSSecondary DNS
Google8.8.8.88.8.4.4
CloudFlare1.1.1.11.0.0.1
OpenDNS208.67.222.222208.67.220.220
Quad99.9.9.9149.112.112.112
Comodo Secure DNS8.26.56.268.20.247.20
Level 3209.244.0.3209.244.0.4
Verisign64.6.64.664.6.65.6
DNS.Watch84.200.69.8084.200.70.40
Yandex DNS77.88.8.877.88.8.1
Neustar156.154.70.1156.154.71.1
Updated on October 21, 2024

Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support