Lock down DNS on your network

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi I'm Willie welcome to my channel thank you for being here I appreciate each and every one of you and what we're going to look look at in this video is taking control of DNS so in the last video we locked down all the ports except for DNS HTTP which is Port 80 and https which is Port 443 but a lot of people said what about DNS so DNS is a little bit uh well DNS is important right so for those of you that don't know what DNS is DNS is like the Yellow Pages for the internet right so we can um don't have to remember IP addresses but even then there's a really important thing called host headers right and DNS allows us to properly host multiple domains from a single IP address using host headers so DNS super duper important uh even internally if you're running active directory or however your directory services are set up DNS uh very very important so what we're going to look at in this video is a few ways now this is definitely not a comprehensive list but a few ways to take control of your your DNS so what we've got is we've got my UDR and one thing I want to talk about is uh content filtering that's one of the biggest things that we control DNS for either at home or in the the corporate environment now the UDR the udm the udm pro the udmse the unified dreamwall they all do have a level of content filtering that is available they do have some some rules we're going to look at here in a second but this site cleanbrowsing.org they have some free DNS servers that you can use so you can see here they've got a family filter which blocks access to all adult pornographic and explicit sites and also blocks proxy and vpns right so that's one of the things about when you're locking down your traffic do you allow vpns and proxies then they have just the adult filter and then they have the security filter so uh that this one just blocks phishing spam malware malicious domains very important and if you use a commercial service like Cisco umbrella or DNS filter then you're gonna get you know this kind of granular level and at the towards the end of this I'm going to show you another way to accomplish this without using one of these Services now you could also use a pie hole you could use agard you know all of those things so you can take what I'm going to show you and mix it and match it and and kind of figure it out but what we're going to do real quick is we're going to hop over to the UDR and the first thing that we're going to do is we are going to go to traffic management and we're going to create a rule because we also don't want https over or DNS over https to work so the first thing that we're going to do is we're going to come in here and we're going to block an app we're going to block DNS and then we're going to block DNS over TLS and our Target here is going to be all devices and schedule is going to be always and this is blocking apps all right so that's the first step now what you're going to notice is when I open this command prompt um even after the UDR is ready if I do an NS lookup on google.com and I go to 1.1.1.1 it is still going directly out to the internet to 1.1.1 because I specify that right so if you do an NS lookup the domain name and then you specify the DNS server um it's it's still going out and no matter how long we wait it is still going to just go back out and work because we haven't blocked it really at the firewall level we're doing it at a different level kind of blocking apps with with this now I will also tell you real quick that if you have the ad blocking enabled um this is not going to work so if you're using the built-in ad blocking and I've reported this to ubiquity if you use the the built-in ad blocking this is not going to work at all all right so the next thing that we are going to do is we've got our firewall rules from our last video but what we're going to do is we're going to modify those right so what we're going to do is on this accept we're going to come in here and we're going to change uh you can see I've already started changing the port group but what we're going to do is we're actually going to go to our Port group and we're going to remove DNS and then what we're going to do is we're going to create another group just called DNS and we're going to add 53 to that and we're going to apply the changes and then what we're going to do is we're going to come back to our firewall we're going to create a new well first thing I'm going to do is I'm going to change the name of this to allow HTTP https because that's that rule and then what I'm going to do is I am going to change this rule all non-https but then I'm going to explicitly block DNS so I'm going to come in here it's going to be an internet out rule block DNS it's going to be before our predefined rules any and it's going to be Port group DNS we're going to apply the changes but then what I'm going to do is I'm going to drag I am going to drag that rule all the way to the top and we're going to wait a couple seconds so that our UDR can catch up but now uh if you see if I could do an nslookup google.com and try to go out to 1.1.1.1 it's being blocked that traffic is no longer being allowed out so if I get rid of google.com now you can see that the server is unified.willihow.net which is the UDR and it returns it so the UDR is now sitting in the middle and is doing these requests now this is where you can do uh if you had a pie hole you could hand out the that is the DNS server and you could create an allow rule that allows the pie hole to get out now in this case what we're going to do is we how this is working right now is it's using the DHCP DNS servers that my UDR is getting from my ISP but what we're going to do is we're going to set up this family filter now you can also sign up for this and make this granular but we're going to go ahead and we're going to override my isps um we're going to override my isps DNS servers so that we block uh pornographic and explicit sites so let's see how this is going to work so the first thing we're going to do is I'm going to copy this which is the first DNS server now this is free anybody can use this this portion of it now what I'm going to do is I'm going to go to internet and I'm going to go in here and I am going to uncheck this Auto DNS server and I'm going to put a primary and I'm going to put a secondary n and I'm going to apply those changes and now what's going to happen is once the UDR is done getting ready still answering is it ready yet it's ready right so here's the theory so we're going to test this out we're going to try to open a pornographic site and see if it gets blocked you'll notice I haven't done anything different with my client we only changed it on the UDR so hold on just a second all right so here we are at our uh private browsing window and we're going to type in pornhub.com it is blocked we can't get there name not resolved um let's try now going to Google loads just fine so uh you can try any spicy site that you want let's see if we can get private internet access to load because they are supposed to block vpns and there you go I can't get private internet access to load either so this filter is doing its job so now we can't get to vpns um all the only outbound allowed ports that we have are 80 and 443 we've got all of these things running all the content filtering and all this stuff and so uh we are in pretty darn good shape this thing is locked down uh pretty pretty good from that standpoint but let me show you one thing hold on just a second so if you want a router they can do a lot of this and has the granular access that you're looking for check out the Synology line of routers uh they're powerful you can use them in line as a transparent filter you don't have to use their Wi-Fi you can do everything wired and you can achieve this type of security with this with this device so you wouldn't have to necessarily use a third-party service now you do have to recognize that there are limitations Synology has built limitations into these devices such as you can only do five vlans but in a home who's really going to have more than five vlans now some homes yes will have many many vlans but those are going to be edge cases right uh I still believe that as far as devices go in this niche in this uh Market segment that Synology still has the best content filtering of all so if you've got questions about this let me know down in the comments and if you want to see how to further you know take this a little you know even a little further let me know because then what we can do is we can actually set up logging and we can do all kinds of things right you can be alerted when people are trying to access certain kinds of sites let me know if you're interested in that also make sure you give this video a thumbs up and that you subscribe comment share follow me on my social channels down below if you want to support the channel we do have affiliate links down below have to use those but it does kick a couple bucks for the channel and is greatly appreciated along with our patreon link and if you want to set up your network like this whether it's a small Network a home network a business Network all the way up to Enterprise we do handle all those types of things you can reach out at willyhowe.com click hire us or contact us fill that information out and someone will be in touch with you as soon as possible once again I'm Willie I want to thank you for being here and as always I'll see you in the next video
Info
Channel: Willie Howe
Views: 15,878
Rating: undefined out of 5
Keywords: udr, dns, dns filtering, content filtering, parental controls, block vpn, block torrents, network setup, network security, unifi dns control, udr content filtering, unifi content filtering, synology content filtering, lock down dns, dns lockdown, how to block vpns, unifi dream machine pro, unifi dream router, willie howe, willie howe unifi, willie howe synology, willie howe technology
Id: HpJWalkjUDg
Channel Id: undefined
Length: 11min 55sec (715 seconds)
Published: Mon May 15 2023
Related Videos
UniFi Guest Network Explanation
Willie Howe
19K
You want a real DNS Server at home? (bind9 + docker)
Christian Lempa
236K
Lock Down Your Network Traffic - Block all outbound traffic except DNS and HTTP/S
Willie Howe
18K
You're running Pi-Hole wrong! Setting up your own Recursive DNS Server!
Craft Computing
1.2M
Tutorial:Filtering / Site Blocking Using pfblocker DNSBL on pfsense (newer video in description)
Lawrence Systems
214K
Which Is The Best DNS for Secure Browsing: CloudFlare, Quad9, NextDNS, and AdGuard DNS
Lawrence Systems
82K
DNS Server Lockdown
Crosstalk Solutions
79K
Configuring VLANs, Firewall Rules, and WiFi Networks - UniFi Network Application
Techno Tim
195K
Top 13 Unifi Network Setup Tips - Planning and Optimization
Ethernet Blueprint
30K
5 Security Features in UniFi You Need to Enable (And Why)
Tech Me Out
3.8K
My Full Unifi Network Setup - Firewall Rules, VLANs, WiFi, and more
Raid Owl
44K
Unifi VLAN
LoRes DIY
3.7K
Cloudflare Tunnels: Getting Started with Domains, DNS, and Tunnels
DB Tech
134K
How DNS Works
John Savill's Technical Training
33K
Pi-hole Made EASY - A Complete Tutorial
Tech Craft
81K
UniFi Dynamic DNS with Name Cheap
Willie Howe
6K
BEST WiFi Optimization Settings!
Crosstalk Solutions
318K
UniFi Cloud Gateway Ultra
Willie Howe
27K
Ultimate Privacy! UniFi Network + Private Internet Access VPN
Crosstalk Solutions
124K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.