How do I block DNS traffic from getting out through a firebox?

I made policies trying everything I could think of to block all traffic from getting out from a host on one of my VLANs but DNS still gets through. I see it's an Internal policy that's being allowed even if I try blocking Any to the Firebox.

Allow dns/udp 57636 53 VLAN_01 Firebox DNS Forwarding 60 63 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="www.google.com"

I have DNS Watch configured on the firebox but even if I don't have it enforced for the interface, DNS resolution is still occurring for the host.

The host is on a wired extension from a WG Access Point on VLAN_01 and has a NAT IP of The firebox sees the host as as show in the log.



  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @user808
    If you have DNSWatch turned on for the firewall, DNS forwarding will also be enabled, so this traffic is redirected to whatever DNS servers are defined in DNSWatch.

    You may need to expose the "enable configuration of policies for traffic generated by the firebox" in Setup -> Global Settings and put your deny policy from that specific IP to ANY.

    -James Carson
    WatchGuard Customer Support

  • Options

    Also check if you have DNS forwarding enabled on your firewall.
    Look on the WIND/DNS tab.
    If so, DNS forwarding will be done prior to any of your policies, so you need to do what James indicated above to add a DNS policy which should be used.

  • Options

    Hi Bruce,

    with DNSWatch no DNS forwarding enabled, this morning I disabled the "dnscache service" on my PC (windows 10) and re-enabled DNSWatch, I'm doing some tests ....

  • Options

    Thanks guys for your help. I tried James's suggestion without success and verified DNS forwarding wasn't configured where Bruce said to look. I opened a ticket with support and it has been escalated to DNSWatch specialists. I plan to do more testing in the morning.

Sign In to comment.