cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
srk2016
New Contributor

I need a sample config for Netvanta 3448 on how to create a false dns server to block google instead of using websense?

I am trying to set a firewall settings and I am looking for a way to block some Https sites.

0 Kudos
4 Replies
Anonymous
Not applicable

Re: I need a sample config for Netvanta 3448 on how to create a false dns server to block google instead of using websense?

I am not sure about "false" DNS server, but you can configure your 3448 to be your primary DNS server and then enter some dummy host records to perhaps redirect that traffic to somewhere null.  You can't point it to 0.0.0.0 though, so I would say point it to some private IP that isn't in use (or even exists) in your local network

host "www.google.com" 172.16.1.1

domain-proxy

ip dhcp pool "LAN_NET"

  network 192.168.75.0 255.255.255.0

  dns-server 192.168.75.1

  netbios-node-type h-node

  default-router 192.168.75.1

  lease 30

Advanced Configuration and Troubleshooting DNS Lookup and DNS Proxy in AOS

jcrabtreetol
New Contributor II

Re: I need a sample config for Netvanta 3448 on how to create a false dns server to block google instead of using websense?

Not in front of a System to get the code, I'll reply back but here is the narrative.

So for this you want to follow the Allow and then Deny method.

We do this all the time for Websense and OpenDNS Services.

In your LAN Policy you will want to create an outbound rule that allows UDP 53 to allow to your Websense External IPs or the OpenDNS Anycast IPs.

Once the Allow is set then that rule will now be used and stop there once matched.

the very following rule will be a Deny UDP 53 to ANY.

Now anyone that tries to use DNS that is not set in your allow will be denied.

We also do this for Hardend networks where we only allow explicit traffic out such as HTTPS/HTTP/Etc

jcrabtreetol
New Contributor II

Re: I need a sample config for Netvanta 3448 on how to create a false dns server to block google instead of using websense?

OK Here is what you will want in your Config.

Under your IP Access-List Policies you will want the following. (The IPs I used are OpenDNS Anycast, just adjust to match your websense, remember everything is top down flow)

ip access-list extended DNS-ACL

  remark DNS_Policy

  permit udp any  host 208.67.220.220 eq domain    log

  permit udp any  host 208.67.222.222 eq domain    log

  deny   udp any  any eq domain    log

Now in your Policy Class for your Private Zone, normally this is just called private. you will add your ACL Match Line.

Likely under the header "ip policy-class Private"

  nat source list DNS-ACL interface eth 0/1 overload policy Public

Make sure This Line is above your all out, if you happen to use an All Out which we find all the time and that is how you wish to operate. You do not require the Public at the end of that line, I just declare when I am passing traffic to the Public Policy.

Let me know if you have any issues or need more help. If you can post your config with sensitive details scrubbed or changed is fine.

Just for those who are curious how this works.

We have the ACL (access list) We are saying if traffic from anyone that matches the packets to UDP 53 (DNS) to host x.x.x.x (in my example above it is either 208.67.220.220 or 208.67.222.222) to Permit the traffic.

Then the last line if the above two are not matched deny the traffic, so the DNS will be dropped and not allowed.

When then set this Policy in your Private Class before your Any Out. So the traffic is matched before your Any out and will either be allowed or denied. Doesn't matter that you have an any because we have denied it before those rules are matched.

Most routers operate in a First match use configuration. If you match the policy that is what we do and we look no further. Makes the logic process easy.

Hope I helped

-John

jayh
Honored Contributor
Honored Contributor

Re: I need a sample config for Netvanta 3448 on how to create a false dns server to block google instead of using websense?

John Gilmore - Wikiquote

Pretty much as true today as in 1993 if people are determined.

However:

ip domain-proxy

host google.com 127.0.0.1

host www.google.com 127.0.0.1


may slow folks down a bit.