How to lock down a Firewall to use Securly DNS?


Configuring Securly DNS filtering can be done two different ways. It can be done at the device level where you change the device DNS to point directly to Securly's IPs. This, however, has the downside of bypassing any internal DNS records you may have set up. The second way is to modify your DNS servers' forwarders to point to Securly's IPs.

By forwarding your DNS servers to Securly, device DNS settings can be changed by the end user (especially on BYOD where users likely have admin privileges). This poses a problem as it would allow users to bypass filtering. It is therefore recommended that you implement certain firewall rules to prevent this easily discovered circumvention technique.

Firewall rules may change depending on the model and version of your Firewall. But here are some guidelines for the basic allow and deny rules for your Firewall to get you started.  

Recommend Setup


Understanding the Rules

Rule #1: This will allow any device on the network to use Securly DNS server.  Each cluster has different DNS servers. Please check your deployment documentation or consult for more details.

Rule #2: This rule will allow some devices to access any DNS server.  This is a good rule to have in place while planning on switching to Securly.  Internal DNS server can be set to non-Securly DNS to “turn off” filtering.

Rule #3: This an optional rule.  Some firewalls support the ability to change outbound requests to different DNS servers.  It can be changed to force users to use Securly DNS IP. Another option is to force users to loop back and use the internal DNS server. This will help users that have their DNS setting statically set to other servers.

Rule #4: This an optional rule. This rule will help block Quic Protocol. DNScrypt is a new DNS service that runs on non-standard DNS ports. Blocking the additional ports is recommended.

Rule #5: It is important to block all other DNS requests to only allow the above rules. This is blocking both TCP and UDP traffic on port 53.  

Note the Allow rules are only for UDP Port 53.

Have more questions? Submit a request