Reply
Emerging Member
Posts: 92
Registered: ‎11-13-2013
Kudos: 9
Solutions: 4
Accepted Solution

How to prevent circumvention of Open DNS with USG?

how can i prevent circumvention of Open DNS with the Unifi Security Gateway. without using the SSH.

their is a thread on here to do it with the SSH but i've never used it before, i'm wondering if it can be done with the Unifi Controller 5.3.8. i tried to do it like this but2017-02-09 (2).png nothing happens. i can still bypass the open dns with using a different server. also am very new to networking.

 

any help is appreciated?


Accepted Solutions
Regular Member
Posts: 459
Registered: ‎07-22-2016
Kudos: 189
Solutions: 27

Re: How to prevent circumvention of Open DNS with USG?

[ Edited ]

Change ADDRv4 to NETv4 and Destination should be port 53 not LAN. Your Allow rule is wrong also. The Destination has to have the OpenDNS IP and Port 53.

 

Screen Shot 2017-02-09 at 7.32.30 PM.png

View solution in original post


All Replies
Regular Member
Posts: 459
Registered: ‎07-22-2016
Kudos: 189
Solutions: 27

Re: How to prevent circumvention of Open DNS with USG?

[ Edited ]

Change ADDRv4 to NETv4 and Destination should be port 53 not LAN. Your Allow rule is wrong also. The Destination has to have the OpenDNS IP and Port 53.

 

Screen Shot 2017-02-09 at 7.32.30 PM.png

Emerging Member
Posts: 92
Registered: ‎11-13-2013
Kudos: 9
Solutions: 4

Re: How to prevent circumvention of Open DNS with USG?

Allright thank you sir. I'm not sure how but it works! 

Regular Member
Posts: 408
Registered: ‎09-15-2016
Kudos: 165
Solutions: 25

Re: How to prevent circumvention of Open DNS with USG?

What don't you understand? Maybe we can explain it differently.

 

ADDRv4 is the address of the firewall interface on the network specified, not the network - that's why you had to change that. The other change is obvious.

Emerging Member
Posts: 92
Registered: ‎11-13-2013
Kudos: 9
Solutions: 4

Re: How to prevent circumvention of Open DNS with USG?

Well for one i don't understand a firewall at all, to me it seems like a living thinking understanding machine, it seems like if i type something in the Name space, like 'Allow dns server' and have the other options remotely close to where they should be it works.

 

Or does everything have to be correct to work?

could i type anything into the Name space , and still have it to Allow dns server? or does it have to be close to what i want it to do?

Regular Member
Posts: 408
Registered: ‎09-15-2016
Kudos: 165
Solutions: 25

Re: How to prevent circumvention of Open DNS with USG?

Name doesn't mean anything, that is just there for your convenience. You could name it "I like Ice Cream" and it would work the exact same. The only things that matter are:

1. Protocol (e.g. UDP / TCP)

2. Source

3. Destination

4. Protocol

 

The firewall rule simply checks network packets to see if they match all of the above, and then permits/denies the packet as specified. Simply as that.

Emerging Member
Posts: 92
Registered: ‎11-13-2013
Kudos: 9
Solutions: 4

Re: How to prevent circumvention of Open DNS with USG?

ok.

that makes pretty good sense.

 

I am also trying to block vpns with the firewall, how would i do that?

not sure if i can ask it here or start a new post.

Regular Member
Posts: 489
Registered: ‎12-18-2015
Kudos: 214
Solutions: 37

Re: How to prevent circumvention of Open DNS with USG?

[ Edited ]

@Wannabe Which type of VPNs are you wanting to block?

 

Deny on LAN_IN or LAN_OUT

IPsec: Block destination UDP ports 500 and 4500

OpenVPN: Block destination UDP port 1194 (this can be changed to run through 443 and 80 so its hard to tackle).

 

Pointing to OpenDNS and utilizing an account to content filter on "proxies and anonomyzers" is pretty easy as well. 

Emerging Member
Posts: 92
Registered: ‎11-13-2013
Kudos: 9
Solutions: 4

Re: How to prevent circumvention of Open DNS with USG?

Well i don't know. i just have a vpn app on my android phone, and am trying to block it , so i can't use it.

New Member
Posts: 20
Registered: ‎05-02-2016
Kudos: 11
Solutions: 2

Re: How to prevent circumvention of Open DNS with USG?

You may want to see This Thread.

Emerging Member
Posts: 92
Registered: ‎11-13-2013
Kudos: 9
Solutions: 4

Re: How to prevent circumvention of Open DNS with USG?

Here is a screenshot of what i did, and it works, thanks for all the help.2017-02-19 (2).png

New Member
Posts: 20
Registered: ‎05-02-2016
Kudos: 11
Solutions: 2

Re: How to prevent circumvention of Open DNS with USG?

You will have a better effect in redirecting dns request to your server.

I'm used to have google dns on my laptop, and with your configuration, I will not have internet due to your dns blocking.

If you redirect the dns with a config.gateway.json like this:  (don't forget to set the correct usg's ip)

 

 

{
        "service": {
                        "nat": {
                        "rule": {
                                "1": {
                                        "description": "DNS Redirect",
                                        "destination": {
                                                "address": "!10.2.1.1",
                                                "port": "53"
                                        },
                                        "inbound-interface": "eth1",
                                        "inside-address": {
                                                "address": "10.2.1.1"
                                        },
                                        "log": "disable",
                                        "protocol": "tcp_udp",
                                        "type": "destination"
                                }
                          }
                }
        }

}

 

Users having other dns server are redirected without noticing it.

Emerging Member
Posts: 92
Registered: ‎11-13-2013
Kudos: 9
Solutions: 4

Re: How to prevent circumvention of Open DNS with USG?

would you know how to do that without using the config.gateway.json, i have never used it and am very new to networking?

New Member
Posts: 20
Registered: ‎05-02-2016
Kudos: 11
Solutions: 2

Re: How to prevent circumvention of Open DNS with USG?

New Member
Posts: 29
Registered: ‎11-06-2015
Kudos: 21

Re: How to prevent circumvention of Open DNS with USG?

Please see this thread where I originally detailed how I came up with this. I attached the sample JSON files in the thread...

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Firewall-Rules-for-OpenDNS/m-p/1807093#M33...

New Member
Posts: 37
Registered: ‎10-14-2016
Kudos: 3

Re: How to prevent circumvention of Open DNS with USG?

I'm confused. I'd like to do the same thing as the OP but nervous to make any changes and get locked out.

 

I mainly want to block a specific VLAN from changing their DNS settings. I haven't made any changes to my Firewall, if someone could help me out with a walkthrough that would be great. I alread have the VLAN set up to use OpenDNS and have a dynamic DNS service set up to update OpenDNS with my IP address.

 

If it helps, my VLAN is 50 and gateway/subnet is 10.0.4.1/24 for that VLAN, and I've already set up an address group for it, but not sure exactly how to configure the rest. Could someone give me a step-by-step of what rules I should add to my firewall and what goes in the config.gateway.json file?

Home network: Latest controller running on Ubuntu 18.0.4 via Docker (Stable Candidate Tag), USG, USW-24, USW-8-60, USW-8, 2x UAP-AC-Pro, 2x UAP-AC-M - Future plans for 11 Unifi cameras

Work network: Stable 5.8.x running on Digital Ocean, USG, USW-24, 5x UAP-AC-Lite, NVR, 2x G3 Cameras, 1x G3 Pro Camera, 4x G3 Dome Cameras
New Member
Posts: 37
Registered: ‎10-14-2016
Kudos: 3

Re: How to prevent circumvention of Open DNS with USG?


@mikestecker wrote:

I'm confused. I'd like to do the same thing as the OP but nervous to make any changes and get locked out.

 

I mainly want to block a specific VLAN from changing their DNS settings. I haven't made any changes to my Firewall, if someone could help me out with a walkthrough that would be great. I alread have the VLAN set up to use OpenDNS and have a dynamic DNS service set up to update OpenDNS with my IP address.

 

If it helps, my VLAN is 50 and gateway/subnet is 10.0.4.1/24 for that VLAN, and I've already set up an address group for it, but not sure exactly how to configure the rest. Could someone give me a step-by-step of what rules I should add to my firewall and what goes in the config.gateway.json file?


I think I figured it out. I set up the following config.gateway.json file but no rules through the UI. So far it seems to be working. I tried manually changing the DNS on a device and then visiting site that should be blocked and it successfully blocked the site.

 

{
  "service": {
    "nat": {
      "rule": {
        "1": {
          "description": "DNS Redirect",
          "destination": {
            "address": "!10.0.4.1",
            "port": "53"
          },
          "inbound-interface": "eth1.40",
          "inside-address": {
            "address": "10.0.4.1"
          },
          "log": "disable",
          "protocol": "tcp_udp",
          "type": "destination"
        }
      }
    }
  }
}
Home network: Latest controller running on Ubuntu 18.0.4 via Docker (Stable Candidate Tag), USG, USW-24, USW-8-60, USW-8, 2x UAP-AC-Pro, 2x UAP-AC-M - Future plans for 11 Unifi cameras

Work network: Stable 5.8.x running on Digital Ocean, USG, USW-24, 5x UAP-AC-Lite, NVR, 2x G3 Cameras, 1x G3 Pro Camera, 4x G3 Dome Cameras
Emerging Member
Posts: 69
Registered: ‎12-21-2016
Kudos: 36
Solutions: 1

Re: How to prevent circumvention of Open DNS with USG?

I'm trying something similar and having trouble with it. 

 

I have a caching server (with forwarding) running in the lan. So I have one rule to allow that server (by IP group and port group) out to Google's DNS (IP group containing 8.8.8.8 and 8.8.4.4, and port group). I have a second rule that drops all port 53 from LAN NETv4. Both rules on WAN OUT seem to kill all DNS resolution. 

New Member
Posts: 6
Registered: ‎07-22-2017

Re: How to prevent circumvention of Open DNS with USG?

I did exactly what you did, but the settings seem to have no impact. I restarted the controller after modifying the config.gateway.json file but still it doesn't seem to work. Is there a way to test that the file is being picked up?

Senior Member
Posts: 2,857
Registered: ‎04-26-2016
Kudos: 1072
Solutions: 291

Re: How to prevent circumvention of Open DNS with USG?

Did you reprovision the USG?

 

Any problems with the config file will be logged in server.log on the controller.

Reply