Still want to use DNS policies in my config

I can't use DNSWatch because want to use DNS proxy policies in my config to prevent certain DNS resolutions.
Please have DNSWatch processing be modified so that DNS policies can be processed before DNSWatch forwards packets to the DNSWatch servers.

Comments

  • Following

  • Does the V12.9 DNS Forwarding policy now allow DNS proxies which exist above this policy in one's config to be processed when DNSWatch is active?

  • To answer my own question - NO.
    With DNSWatch enabled, one still can't have an existing DNS policy in one's config be used by Fireware.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Bruce_Briggs
    You should still be able to do this if you make the DNS policies above the any from firebox rule.

    You'd need to expose that rule in the firebox global settings in order to do that, but it should be possible.

    -James Carson
    WatchGuard Customer Support

  • Unfortunately this does not work.

    This is what I see when the 1st policy is a DNS proxy policy, then the "Any from firebox" policy and then the DNS Forwarding policy:

    2022-12-15 15:13:53 Allow 10.0.1.2 10.0.1.1 dns/udp 50537 53 Trust-VLAN Firebox DNSWatch 53 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="NS" question="abc.com" Traffic

    Then response time gets bad, and some sites don't resolve, such as this one.
    And then I end up with these:
    2022-12-15 15:20:10 Deny 10.0.1.2 10.0.1.1 dns/udp 52092 53 Trust-VLAN Firebox Denied 70 128 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

    A reboot clears this up.

    A good while back I opened a support incident on this exact issue, and I was told to not have a DNS proxy above the "Any from firebox" policy.

    This is still not resolved.
    I want to use the DNS proxy to control things, such as denying DNS type 65 - DoH, or blocking specific lookup names for specific devices but not all devices etc.
    I can't do this AND have DNSWatch enabled

  • @Bruce_Briggs said:
    I want to use the DNS proxy to control things, such as denying DNS type 65 - DoH, or blocking specific lookup names for specific devices but not all devices etc.
    I can't do this AND have DNSWatch enabled

    Why do you wont to block RR (type 65) reocrds?

    DoH you can block in the http proxy, this is what i do, plus via GPO and 3. party security tool. My 3. party security tooll was just released with support for DNS over https scanning.

    I have some FQDN names which i block access to via a firewall filter. It can of cause be resolved, but not accessed.

  • IMHO, a DNS proxy is the better place to implement these. And, is should be possible for Fireware to allow this.

    There are these 2 feature requests, still not implemented:

    james.carson
    james.carson Moderator, WatchGuard Representative
    October 2020

    Currently there are two feature requests that are open and being worked on related to this:
    FBX-17047 - Ability to block DNS over HTTPS via Application Control
    DNSW-624 - Ability to block DNS over HTTPS in DNSWatch
    If you'd like to track either, or both, please open a support case and mention the one you'd like to track via a case. The support rep can set that up for you.


    GPO is not available on Windows Home version. Phones and various IoT devices don't have such an option either.

    Info from a support case:
    DNSWatch is/was implemented in the DNS Forwarding area. Supposedly DNS Forwarding was being re-architect-ed, which would allow what I want.
    But not yet it seems.

Sign In to comment.