How to lock down a Firewall to use Securly DNS?

Configuring Securly DNS filtering can be done in two different ways. This can be done at the device level where you change the device’s DNS to point directly to Securly's IPs. This, however, has the downside of bypassing any internal DNS records you may have set up. The second way is to modify your DNS servers' forwarders to point to Securly's IPs.

By forwarding your DNS servers to Securly, device and DNS settings can be changed by the end-user (especially on BYOD where users likely have admin privileges). This poses a problem as it would allow users to bypass filtering. It is therefore recommended that you implement certain firewall rules to prevent this easily discovered circumvention technique.

Firewall rules may change depending on the model and version of your Firewall. But here are some guidelines for the basic allow and deny rules for your Firewall to get you started.  

Recommend Setup


Understanding the Rules

Rule #1: This will allow any device on the network to use Securly DNS server.  Each cluster has different DNS servers. Please check your deployment documentation or consult for more details.

Rule #2: This rule will allow some devices to access any DNS server.  This is a good rule to have in place while planning on switching to Securly. The Internal DNS server can be set to a non-Securly DNS to “turn off” filtering.

Rule #3: This an optional rule.  Some firewalls support the ability to transfer outbound requests to different DNS servers.  This can be changed to force users to use Securly DNS IP. Another option is to force users to loop back in and use the internal DNS server. This will help users that have their DNS settings statically set to other servers.

Rule #4: This an optional rule. This rule will help block Quic Protocol. DNScrypt is a new DNS service that runs on non-standard DNS ports. Blocking additional ports is recommended.

Rule #5: It is important to block all other DNS requests to only allow the above rules. This is blocking both TCP and UDP traffic on port 53.  

Note the Allow rules are only for UDP Port 53.

Was this article helpful?
13 out of 29 found this helpful
Have more questions?
Submit a request



Article is closed for comments.

Articles in this section

See more