DNS Packet vs. Proxy Policy

I'm curious what everyone is running in regards to their outbound DNS policies. Are you using the DNS Packet Filter or DNS Proxy and why?

Comments

  • Proxy.
    So that I can block selected DNS queries for some domains.

  • I use a Proxy, for Bruce's reasons, and in the hope that it only allows DNS traffic so that IF an allowed computer were to get something malicious on it, it could not just go out port 53 untouched to retrieve payloads. I want the same behavior as an HTTP proxy that stops SMTP traffic on port 80 because it doesn't match the HTTP protocol.

    Gregg Hill

  • Gregg, that's my current reason for leveraging DNS-Proxy however 2x of my T35's are experiencing performance issues because of it and WG Support recommended switching over to the DNS Packet rule.

  • The other way I did it was with a packet filter, but going To an alias containing a list of the root DNS servers and whatever DNS servers I was using. That way, port 53 outbound was open, but not just to anywhere. I just switched to a proxy recently due to abysmal DNS lookups at certain times. I still have not identified the actual cause of the slow lookups because they happen randomly.

    Gregg Hill

  • I also have outbound DNS traffic limited to specific IP's so I'm wondering how much additional value/benefit there is in Proxy over Packet policies.
    Or really in this case, how much security is lost moving from Proxy to Packet filtering...

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BrianSteingraber

    A good middle ground is to use a DNS packet filter from your networks (any-trused, any-optional, etc) to the specific external DNS servers you want to use, with a DNS packet filter set to DENY to anything else below it.

    A rule like this ensures that port 53 is just being used for DNS, as the DNS servers generally won't reply to anything else, and everything else gets dropped.

    I made a test policy set here to show what that would look like:
    https://imgur.com/a/eQGOL38
    *If you do this, be sure to include any DNS servers you might be using. I just added some common ones as an example.

    It gives you the ability to restrict DNS for the most part without the overhead of a proxy.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi @BrianSteingraber

    A good middle ground is to use a DNS packet filter from your networks (any-trused, any-optional, etc) to the specific external DNS servers you want to use, with a DNS packet filter set to DENY to anything else below it.

    A rule like this ensures that port 53 is just being used for DNS, as the DNS servers generally won't reply to anything else, and everything else gets dropped.

    I made a test policy set here to show what that would look like:
    https://imgur.com/a/eQGOL38
    *If you do this, be sure to include any DNS servers you might be using. I just added some common ones as an example.

    It gives you the ability to restrict DNS for the most part without the overhead of a proxy.

    If the "Outgoing" policy were deleted as it should be for any truly secure config, the "DNS with Deny" policy would not be needed.

    Gregg Hill

  • @james.carson said:
    Hi @BrianSteingraber

    A good middle ground is to use a DNS packet filter from your networks (any-trused, any-optional, etc) to the specific external DNS servers you want to use, with a DNS packet filter set to DENY to anything else below it.

    A rule like this ensures that port 53 is just being used for DNS, as the DNS servers generally won't reply to anything else, and everything else gets dropped.

    I made a test policy set here to show what that would look like:
    https://imgur.com/a/eQGOL38
    *If you do this, be sure to include any DNS servers you might be using. I just added some common ones as an example.

    It gives you the ability to restrict DNS for the most part without the overhead of a proxy.

    Hi James

    the recent autodiscover hack has shown that packet filter alone can't help with that attack and Proxy is possibly the only way to add the specific rules to only allow the companies actual Autodiscover addresses and block all other autodiscover.xyz. domains.

    I am currently in support with a problem and the request from them is to change to packet filter so am I missing something i.e. is there a way to do what I want with packet filters only?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @NickDaGeek
    Are you trying to protect inbound or outbound traffic? If you're trying to protect your internal DNS server from outside autodiscover requests, this should be possible in theory. For outbound DNS proxies. it's usually a performance issue.

    If you can reply with your case number, I can make sure that your case is with the correct team to best help.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.