I am trying to set a firewall settings and I am looking for a way to block some Https sites.
I am not sure about "false" DNS server, but you can configure your 3448 to be your primary DNS server and then enter some dummy host records to perhaps redirect that traffic to somewhere null. You can't point it to 0.0.0.0 though, so I would say point it to some private IP that isn't in use (or even exists) in your local network
host "www.google.com" 172.16.1.1
ip dhcp pool "LAN_NET"
network 192.168.75.0 255.255.255.0
Not in front of a System to get the code, I'll reply back but here is the narrative.
So for this you want to follow the Allow and then Deny method.
We do this all the time for Websense and OpenDNS Services.
In your LAN Policy you will want to create an outbound rule that allows UDP 53 to allow to your Websense External IPs or the OpenDNS Anycast IPs.
Once the Allow is set then that rule will now be used and stop there once matched.
the very following rule will be a Deny UDP 53 to ANY.
Now anyone that tries to use DNS that is not set in your allow will be denied.
We also do this for Hardend networks where we only allow explicit traffic out such as HTTPS/HTTP/Etc
OK Here is what you will want in your Config.
Under your IP Access-List Policies you will want the following. (The IPs I used are OpenDNS Anycast, just adjust to match your websense, remember everything is top down flow)
ip access-list extended DNS-ACL
permit udp any host 184.108.40.206 eq domain log
permit udp any host 220.127.116.11 eq domain log
deny udp any any eq domain log
Now in your Policy Class for your Private Zone, normally this is just called private. you will add your ACL Match Line.
Likely under the header "ip policy-class Private"
nat source list DNS-ACL interface eth 0/1 overload policy Public
Make sure This Line is above your all out, if you happen to use an All Out which we find all the time and that is how you wish to operate. You do not require the Public at the end of that line, I just declare when I am passing traffic to the Public Policy.
Let me know if you have any issues or need more help. If you can post your config with sensitive details scrubbed or changed is fine.
Just for those who are curious how this works.
We have the ACL (access list) We are saying if traffic from anyone that matches the packets to UDP 53 (DNS) to host x.x.x.x (in my example above it is either 18.104.22.168 or 22.214.171.124) to Permit the traffic.
Then the last line if the above two are not matched deny the traffic, so the DNS will be dropped and not allowed.
When then set this Policy in your Private Class before your Any Out. So the traffic is matched before your Any out and will either be allowed or denied. Doesn't matter that you have an any because we have denied it before those rules are matched.
Most routers operate in a First match use configuration. If you match the policy that is what we do and we look no further. Makes the logic process easy.
Hope I helped