DNS Server Lockdown

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to crosstalk solutions my name is Chris and today we're gonna be talking about how to secure your network so that your users can only use DNS servers that you have specifically whitelisted and they can't use any other DNS servers why would we want to do this basically if you're using any sort of malware filtering such as piehole or content filtering for adult content things of that nature you want to you're to basically steer your users to specific DNS servers that are providing that filtering so for instance we've got a pie hole here and pie hole does malware filtering and all sorts of other types of filtering but if I'm a savvy user and I've received the IP address of a pie hole in my DHCP lease maybe I don't want to be filtered so I know how to go in and manually set my device so that I'm not using the pie hole I'm using 1.1 1.1 or 99.999 or one of the other you know thousands of DNS servers out there on the internet so what we're gonna do today is utilize firewall rules to say hey users you can only use DNS from these devices and all other requests to DNS servers are going to be dropped by the firewall this way you can lock those users in and you can do that on a per VLAN basis so maybe you don't have any sort of DNS filtering or or you know DNS server blocking on your internal LAN but you do have it on your guest network or like if you're running a school you know the student network something like that so let's talk about how to do that we're gonna do it in both edge OS and unify and they're very similar but there are you know different you know places you have to click on to get to these settings so here we are in edge OS we're gonna start here this is my own personal edge router for it sitting right here and we're first gonna go over to services and then we're gonna check out my DHCP server settings so we're gonna say view details on my main DHCP server we can see that I'm in 192 168 200 0 and I'm passing out to DNS servers I'm pass 192 168 200 201 which is actually this pie hole that's sittin right back here and then we've got 192 168 210 which is the pie hole that I have running in docker on my Synology mass I have a third one here this is a third pie hole this is 182 168 202 o6 I'm just using this for testing and I just did a video on you know how to set up and install pie hole and that video details on that video coming soon okay so we made sure now that our clients are only getting these specific IP addresses through DHCP you also want to make sure that any devices that you have statically set in your network such as the edge router itself or any servers that might be statically set anything like that you have to manually set the whitelisted or allow DNS servers for those devices DNS server settings as well since they're not getting it through DHCP okay so we're gonna close this down and next we're gonna click on the firewall slash nat tab now in the firewall nat we're gonna click on firewall slash nat groups and I have two groups set up in here I have my RFC 1918 ranges these are basically it's just a group where I can specify any private LAN IP address range so let's take a look at that we're since a config and so basically this group is my RFC 1918 ranges it includes 180 168 anything not anything 170 216 anything not anything and then 10 not anything right so basically all of sort of the private IP address spaces that are set aside for private lands ok so we're gonna close that out we have that's one group and our second group is our DNS servers these are DNS servers that I want to specifically whitelist and why do I have them in a group it's so that wherever I'm using this group in my firewall rules I can just make changes to the group and then my firewall rules will all update accordingly I don't have to go through all of my firewall rules and set up each you know DNS server individually if I make a change and maybe I put in a new pie hole that has a different IP address all I have to do is update this group and it sort of propagates out to the rest of my firewall rules so in this group I have two oh one that's the one sitting back here I've got 10 which is my Synology nas and I've got 206 which is this piehole sitting right here okay so that group is done and now we're gonna click on our firewall policies tab and you can see I've got a lot of groups here the one that I want to mainly deal with or I should say the two that I want to mainly deal with are my LAN in so my main land group so my mainland network is 181 60 80 200 zero all traffic coming in to the firewall from that land it's called LAN in and then we're also gonna do my IOT network my IOT networks a little bit more secure not only am i only allowing specific DNS servers I'm also blocking any traffic from the IOT network into my mainland right because I don't want those IOT devices the Roku and the you know the smart plugs or whatever you happen to have in an IOT network I don't want those devices to have any access to my main secure land whatsoever but I do want them to be able to utilize the pie holes that exist in my main secure land so we'll show you how to do that as well but first let's take a look at land in we're gonna say actions edit rule set so for interfaces we want to make sure that this is whatever you know interface it's f1 dot the VLAN ID in this case there's no VLAN this is just my main LAN so it's just one direction is inbound traffic so from the land in to the edge router and then for the rules we're gonna allow establish related first that's always sort of the first rule that I put in place then we have allow my DNS server so this is the rule where I'm saying hey all of the clients in this network can only use the DNS servers I specified in that DNS group that I already created so let's take a look at that rule we're going to allow my DNS services the description we're going to accept both TCP and UDP traffic where the destination is port 53 on any of my DNS servers in that address group ok so easy easy rule that's all there is to it next we have allow piehole access to DNS so while I am blocking all of my clients from using any other DNS server well my pie-holes have to forward right so they use cloud flares DNS 1.1.1 not one so that if you know if a client does a lookup to the pie hole and the pie hole doesn't know how to resolve www.google.com/mapmaker so the source is just the IP addresses of my pie holes and then the destination is anything on port 53 okay so basically saying pie holes have full access to DNS whatever DNS server they want to look up I could also lock it down so that I say they're only allowed to look up one dot one dot one dot one on port 53 and sort of secure that down a little bit tighter but I'm not I don't have that in place okay so that's rule number two the third rule we want to do is fer the clients that are doing lookups to the pie holes if they're savvy and they say hey haha I'm gonna get around Chris's firewall rules and I'm gonna put in my own DNS server uh-uh-uh no you aren't this is where I'm gonna block you so we're gonna block all other DNS servers let's take a look at that rule in this case we're going to drop both TCP and UDP where the destination is port 53 okay so any other DNS service now these rules are processed in order so we're basically saying allow my DNS servers to be used by any other networks allow PI whole Accent to access any DNS servers that it wants to access and then we're blocking my clients requests to any anything that's not the pie holes we're blocking DNS servers that aren't specifically the ones I have whitelisted hopefully all that makes sense all right so let's move Vonn - and take a quick look at the ID IOT in network this is for my IOT devices it's very similar with a couple of changes so we start with it allow establish related I don't want to actually move them around then we have allow piehole DNS so that's the same thing where we're saying allow accept traffic TCP and UDP where the destination is my DNS servers on port 53 then we're gonna drop nan piehole DNS so that's the same rule that we created before where we're gonna drop anything where the destination is port 53 since we've already processed out the ones that did successfully match anything else that's left over since these rules are processed in order the DNS stuff is going to get dropped and then since this is my secure Network I'm allowing people to go through since it's the rules again are processed in order you can go through from my IOT network to my secure land just on port 53 for these DNS servers that's it the last rule in this rule set is saying drop traffic to the RFC 1918 ranges right so any other traffic that I haven't specifically allowed through we're just gonna drop so my IOT stuff cannot get through to my secure land notice also that in this rule set I don't have to specifically allow my pie-holes to see out to their the DNS servers they need to resolve to because these PI holes aren't in this network right there in my main secure Network so I don't need that role here okay so let's test here I have nslookup and we're gonna say NS lookup enter and it says that it's going to use one I to 168 200 201 all right so let's do wwg youghal comm there we go we got an answer okay now we're gonna say I think there's a command to change your server while you're in here is it server equals no it's not so I'm just gonna cancel out will say nslookup - 180 168 210 okay one of my other this is the Synology nas piehole dub dub dub google come actually I'll use a different one bing.com boom there we go so we got an answer now let's do nslookup one dot - one dot one dot one dot one ok so the server is unknown let's do dub dub dub slash dot dot org and now we're not getting lookups it's not resolving DNS request timed out but again if I go to my third one 118 168 200 206 and I do dub dub dub slash dot dot org boom immediately comes back ok so now what we've successfully done is we're saying pilots can do lookups wherever I can do lookups my clients can do lookups to the pie-holes that i've specified but any other DNS server that we try we're gonna block those requests ok and that looks like it's working just fine now I also said that we're gonna do this in unify so let's flip over now we're gonna look at my r2 dream to my little UDM that I've got sitting back here and in order to make these same changes you want to come to Internet Security and then click on firewall now none of this stuff is gonna be your you're basically just gonna have these rules to begin with so we first want to add a couple of groups so we're gonna say create new group and then we can look at these groups that I created DNS servers that were allowing from this device ok in this case I'm gonna allow one not one not one not one 999.9 and the IP address of the UDM again you pick whichever dns servers you want in this case you know the first example I was only using the DNS server IP addresses of my pie holes in this case I'm using a couple of like you know I'm using 99.99 and 1.1.1 oh one in a secure DNS environment those are not the addresses that you would use you would use like a pie hole or some other type of DNS content filtering such as Open DNS or something like that rather than you know publicly available IP but this is just to set the example this is the group of IPs that I'm allowing ok so we're gonna close that you can also set a port in unify so I created a port group for port 53 as well so if we look at this port group its basically that's all there is to it just one port port 53 and we're calling the port group DNS so now I have an address group with my white listed DNS servers and I have a port group for TCP and UDP port 53 actually it's just port 53 you specify TCP UDP layer so now let's look at the rules that I have set up so my first rule is allow DNS servers okay so we're gonna edit that rule and so for land in we're going to the description is allow DNS servers we're going to accept both TCP and UDP where the source is any any so any from any location and the destination is going to be address port group DNS servers on port group DNS okay so basically saying we're going to allow DNS lookups to happen on my white listed DNS servers in this group on the port's in the DNS port group which is just port 53 that's it that's all there is for that rule now the next rule we have to allow our DNS servers to be able to see out and resolve their names like so that they're you know it have the ability to do their own lookup so let's take a look at that rule so this rule is called allow DNS servers out again applied to land in we're going to accept traffic where the source is my address port group DNS servers on port DNS right so again we're allowing DNS lookups from my devices that I specify my white listed DNS servers out to any IP address but port group DNS which is port 53 ok so that's the second rule third rule is block all other DNS servers so let's look at this rule we're going to say for land in description block DNS servers we're going to drop as the action protocol is TCP and you and then we're gonna drop any source where the destination is any IP address in my DNS port group which is port 53 right so basically again saying if you try to make a DNS lookup to anything that I haven't specifically whitelisted earlier in the ruleset block it and just drop that traffic and that's it that's all there is to it let's go ahead and test that one as well let me connect up to that Network okay so I have connected to the wireless coming off of my UTM and we're gonna bring up net analyzer and I'm gonna run a DNS test so this is an a record DNS test out to WWE google.com and for DNS server I'm gonna use 1.1 1.1 which was one of my white listed DNS servers and we're gonna say start and there we go status no error okay so let's go back we're gonna try my other DNS server that I white listed which is 999.9 start no error that's good and then finally let's try another another Public DNS server that I haven't specifically white listed let's try 4.2.2 to start and we're gonna timeout okay so this is definitely not going to work it's gonna eventually come up with an error and that just means that we are blocked okay so there it is error and that's all there is to it alright well hope you guys found this useful if you have any questions about this type of setup let me know down in the comments below if you think I did anything incorrectly or think that I could have done something better also put those down in the comments below I'd love to hear your thoughts and critiques on this type of DNS secure setup alright my name is Chris with crosstalk solutions if you enjoyed this video make sure you give me a thumbs up if you'd like to see more videos like this please click subscribe thank you so much for watching you
Info
Channel: Crosstalk Solutions
Views: 62,281
Rating: undefined out of 5
Keywords: unifi, unifi setup, ubiquiti unifi, unifi dream machine, unifi dream machine pro, crosstalk solutions, crosstalk solutions ubiquiti, pi-hole, dns setup, how to configure dns, dns server, dns explained, unifi dns, edgeos, edge os, ubiquiti edgemax, edgemax, edgemax dns, dns firewall rules, domain name system
Id: j6IzYGAI7IE
Channel Id: undefined
Length: 17min 37sec (1057 seconds)
Published: Wed Jan 29 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.