ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Firewalls & Restricting Outbound Traffic

    Scheduled Pinned Locked Moved IT Discussion
    92 Posts 8 Posters 9.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @anthonyh
      last edited by

      @anthonyh said in Firewalls & Restricting Outbound Traffic:

      @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

      @anthonyh said in Firewalls & Restricting Outbound Traffic:

      @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

      @anthonyh said in Firewalls & Restricting Outbound Traffic:

      @JaredBusch said in Firewalls & Restricting Outbound Traffic:

      @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

      @anthonyh said in Firewalls & Restricting Outbound Traffic:

      @JaredBusch said in Firewalls & Restricting Outbound Traffic:

      @anthonyh said in Firewalls & Restricting Outbound Traffic:

      Ok, so perhaps the discussion should be...which ports would you blanket block?

      1. That's it. And it is blocked on every network I have ever had access to the core router of.

      You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

      Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

      You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

      It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

      What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

      RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

      Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

      Where did I say I let unmanaged devices onto my network?

      That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

      It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

      I guess it's dumb after all.

      It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.

      anthonyhA 1 Reply Last reply Reply Quote 0
      • anthonyhA
        anthonyh @scottalanmiller
        last edited by

        @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

        @anthonyh said in Firewalls & Restricting Outbound Traffic:

        @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

        @anthonyh said in Firewalls & Restricting Outbound Traffic:

        @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

        @anthonyh said in Firewalls & Restricting Outbound Traffic:

        @JaredBusch said in Firewalls & Restricting Outbound Traffic:

        @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

        @anthonyh said in Firewalls & Restricting Outbound Traffic:

        @JaredBusch said in Firewalls & Restricting Outbound Traffic:

        @anthonyh said in Firewalls & Restricting Outbound Traffic:

        Ok, so perhaps the discussion should be...which ports would you blanket block?

        1. That's it. And it is blocked on every network I have ever had access to the core router of.

        You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

        Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

        You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

        It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

        What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

        RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

        Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

        Where did I say I let unmanaged devices onto my network?

        That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

        It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

        I guess it's dumb after all.

        It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.

        Yes, that'd be what I want. If DNS on a given host is ill-configured, it doesn't work. Exactly the behavior I'd expect.

        scottalanmillerS 1 Reply Last reply Reply Quote 3
        • scottalanmillerS
          scottalanmiller @anthonyh
          last edited by

          @anthonyh said in Firewalls & Restricting Outbound Traffic:

          @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

          @anthonyh said in Firewalls & Restricting Outbound Traffic:

          @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

          @anthonyh said in Firewalls & Restricting Outbound Traffic:

          @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

          @anthonyh said in Firewalls & Restricting Outbound Traffic:

          @JaredBusch said in Firewalls & Restricting Outbound Traffic:

          @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

          @anthonyh said in Firewalls & Restricting Outbound Traffic:

          @JaredBusch said in Firewalls & Restricting Outbound Traffic:

          @anthonyh said in Firewalls & Restricting Outbound Traffic:

          Ok, so perhaps the discussion should be...which ports would you blanket block?

          1. That's it. And it is blocked on every network I have ever had access to the core router of.

          You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

          Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

          You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

          It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

          What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

          RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

          Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

          Where did I say I let unmanaged devices onto my network?

          That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

          It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

          I guess it's dumb after all.

          It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.

          Yes, that'd be what I want. If DNS on a given host is ill-configured, it doesn't work. Exactly the behavior I'd expect.

          Expect, but want? Why do you want that? I'd rather fail soft than fail hard. If DNS doesn't work properly, it's an accident. If it is blocked and they can't work at all, it's not an accident any more and IT induced a problem. There are cases where that's preferable, but I'd wager that they are extremely rare. What's your benefit from forcing a more dramatic failure?

          anthonyhA 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.

            JaredBuschJ anthonyhA 2 Replies Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @anthonyh
              last edited by

              @anthonyh said in Firewalls & Restricting Outbound Traffic:

              @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

              @anthonyh said in Firewalls & Restricting Outbound Traffic:

              @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

              @anthonyh said in Firewalls & Restricting Outbound Traffic:

              @JaredBusch said in Firewalls & Restricting Outbound Traffic:

              @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

              @anthonyh said in Firewalls & Restricting Outbound Traffic:

              @JaredBusch said in Firewalls & Restricting Outbound Traffic:

              @anthonyh said in Firewalls & Restricting Outbound Traffic:

              Ok, so perhaps the discussion should be...which ports would you blanket block?

              1. That's it. And it is blocked on every network I have ever had access to the core router of.

              You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

              Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

              You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

              It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

              What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

              RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

              Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

              Where did I say I let unmanaged devices onto my network?

              That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

              It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

              I guess it's dumb after all.

              My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.

              anthonyhA scottalanmillerS 2 Replies Last reply Reply Quote 0
              • anthonyhA
                anthonyh @scottalanmiller
                last edited by anthonyh

                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                Ok, so perhaps the discussion should be...which ports would you blanket block?

                1. That's it. And it is blocked on every network I have ever had access to the core router of.

                You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

                Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

                You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

                It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

                What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

                RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

                Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

                Where did I say I let unmanaged devices onto my network?

                That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

                It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

                I guess it's dumb after all.

                It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.

                Yes, that'd be what I want. If DNS on a given host is ill-configured, it doesn't work. Exactly the behavior I'd expect.

                Expect, but want? Why do you want that? I'd rather fail soft than fail hard. If DNS doesn't work properly, it's an accident. If it is blocked and they can't work at all, it's not an accident any more and IT induced a problem. There are cases where that's preferable, but I'd wager that they are extremely rare. What's your benefit from forcing a more dramatic failure?

                It would be brought to our attention and we would fix it. A soft failure may remain soft for an indeterminate amount of time.

                1 Reply Last reply Reply Quote 1
                • JaredBuschJ
                  JaredBusch @scottalanmiller
                  last edited by

                  @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                  Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.

                  I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.

                  anthonyhA 1 Reply Last reply Reply Quote 1
                  • anthonyhA
                    anthonyh @JaredBusch
                    last edited by

                    @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                    @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                    @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                    @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                    @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                    @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                    Ok, so perhaps the discussion should be...which ports would you blanket block?

                    1. That's it. And it is blocked on every network I have ever had access to the core router of.

                    You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

                    Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

                    You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

                    It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

                    What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

                    RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

                    Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

                    Where did I say I let unmanaged devices onto my network?

                    That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

                    It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

                    I guess it's dumb after all.

                    My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.

                    I'm not following you. I've been talking about blocking at the edge (firewall/router whatev you want to refer to) the entire time.

                    JaredBuschJ 1 Reply Last reply Reply Quote 0
                    • anthonyhA
                      anthonyh @scottalanmiller
                      last edited by anthonyh

                      @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                      Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.

                      Yes. Our users are terrible at reporting problems. If it just doesn't work, they'll let us know. If it kinda works, we may never hear about it. 😄

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @anthonyh
                        last edited by

                        @anthonyh said in Firewalls & Restricting Outbound Traffic:

                        @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                        @anthonyh said in Firewalls & Restricting Outbound Traffic:

                        @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                        @anthonyh said in Firewalls & Restricting Outbound Traffic:

                        @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                        @anthonyh said in Firewalls & Restricting Outbound Traffic:

                        @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                        @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                        @anthonyh said in Firewalls & Restricting Outbound Traffic:

                        @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                        @anthonyh said in Firewalls & Restricting Outbound Traffic:

                        Ok, so perhaps the discussion should be...which ports would you blanket block?

                        1. That's it. And it is blocked on every network I have ever had access to the core router of.

                        You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

                        Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

                        You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

                        It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

                        What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

                        RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

                        Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

                        Where did I say I let unmanaged devices onto my network?

                        That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

                        It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

                        I guess it's dumb after all.

                        My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.

                        I'm not following you. I've been talking about blocking at the edge (firewall/router whatev you want to refer to) the entire time.

                        Scott is saying not to even bother on that. He sees no point. I disagree saying it is easier this way than managing the endpoints.

                        anthonyhA 1 Reply Last reply Reply Quote 0
                        • anthonyhA
                          anthonyh @JaredBusch
                          last edited by

                          @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                          @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                          Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.

                          I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.

                          Yes!

                          insert appropriate meme here

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • anthonyhA
                            anthonyh @JaredBusch
                            last edited by

                            @JaredBusch Got it.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @JaredBusch
                              last edited by

                              @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                              @anthonyh said in Firewalls & Restricting Outbound Traffic:

                              @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                              @anthonyh said in Firewalls & Restricting Outbound Traffic:

                              @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                              @anthonyh said in Firewalls & Restricting Outbound Traffic:

                              @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                              @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                              @anthonyh said in Firewalls & Restricting Outbound Traffic:

                              @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                              @anthonyh said in Firewalls & Restricting Outbound Traffic:

                              Ok, so perhaps the discussion should be...which ports would you blanket block?

                              1. That's it. And it is blocked on every network I have ever had access to the core router of.

                              You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.

                              Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?

                              You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.

                              It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.

                              What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).

                              RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?

                              Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.

                              Where did I say I let unmanaged devices onto my network?

                              That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.

                              It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.

                              I guess it's dumb after all.

                              My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.

                              I appreciate the point. I think it's a moderate point where either way is fine, I just lean the other direction "more often."

                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @anthonyh
                                last edited by

                                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.

                                Yes. Our users are terrible at reporting problems. If it just doesn't work, they'll let us know. If it kinda works, we may never hear about it. 😄

                                That makes sense.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @anthonyh
                                  last edited by

                                  @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                  @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                                  @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                  Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.

                                  I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.

                                  Yes!

                                  insert appropriate meme here

                                  So you are letting the users manage their own DNS settings? Lots of times you need to, so that's a valid case, I just want to be clear that that is what we are talking about.

                                  anthonyhA 1 Reply Last reply Reply Quote 0
                                  • anthonyhA
                                    anthonyh @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                    @JaredBusch said in Firewalls & Restricting Outbound Traffic:

                                    @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                    Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.

                                    I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.

                                    Yes!

                                    insert appropriate meme here

                                    So you are letting the users manage their own DNS settings? Lots of times you need to, so that's a valid case, I just want to be clear that that is what we are talking about.

                                    Well, not the users directly. But there may be a case where DNS settings are altered undesirably (by IT, by malicious software, or simply an issue with the OS not flushing stale DNS settings from going off network).

                                    1 Reply Last reply Reply Quote 0
                                    • 1
                                    • 2
                                    • 3
                                    • 4
                                    • 5
                                    • 5 / 5
                                    • First post
                                      Last post