DNS Packet vs. Proxy Policy

I'm curious what everyone is running in regards to their outbound DNS policies. Are you using the DNS Packet Filter or DNS Proxy and why?

Comments

  • Proxy.
    So that I can block selected DNS queries for some domains.

  • I use a Proxy, for Bruce's reasons, and in the hope that it only allows DNS traffic so that IF an allowed computer were to get something malicious on it, it could not just go out port 53 untouched to retrieve payloads. I want the same behavior as an HTTP proxy that stops SMTP traffic on port 80 because it doesn't match the HTTP protocol.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5 Update 1 build 599856
    WSM 12.5 build 596863
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Gregg, that's my current reason for leveraging DNS-Proxy however 2x of my T35's are experiencing performance issues because of it and WG Support recommended switching over to the DNS Packet rule.

  • The other way I did it was with a packet filter, but going To an alias containing a list of the root DNS servers and whatever DNS servers I was using. That way, port 53 outbound was open, but not just to anywhere. I just switched to a proxy recently due to abysmal DNS lookups at certain times. I still have not identified the actual cause of the slow lookups because they happen randomly.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5 Update 1 build 599856
    WSM 12.5 build 596863
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • I also have outbound DNS traffic limited to specific IP's so I'm wondering how much additional value/benefit there is in Proxy over Packet policies.
    Or really in this case, how much security is lost moving from Proxy to Packet filtering...

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @BrianSteingraber

    A good middle ground is to use a DNS packet filter from your networks (any-trused, any-optional, etc) to the specific external DNS servers you want to use, with a DNS packet filter set to DENY to anything else below it.

    A rule like this ensures that port 53 is just being used for DNS, as the DNS servers generally won't reply to anything else, and everything else gets dropped.

    I made a test policy set here to show what that would look like:
    https://imgur.com/a/eQGOL38
    *If you do this, be sure to include any DNS servers you might be using. I just added some common ones as an example.

    It gives you the ability to restrict DNS for the most part without the overhead of a proxy.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi @BrianSteingraber

    A good middle ground is to use a DNS packet filter from your networks (any-trused, any-optional, etc) to the specific external DNS servers you want to use, with a DNS packet filter set to DENY to anything else below it.

    A rule like this ensures that port 53 is just being used for DNS, as the DNS servers generally won't reply to anything else, and everything else gets dropped.

    I made a test policy set here to show what that would look like:
    https://imgur.com/a/eQGOL38
    *If you do this, be sure to include any DNS servers you might be using. I just added some common ones as an example.

    It gives you the ability to restrict DNS for the most part without the overhead of a proxy.

    If the "Outgoing" policy were deleted as it should be for any truly secure config, the "DNS with Deny" policy would not be needed.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5 Update 1 build 599856
    WSM 12.5 build 596863
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

Sign In to comment.