The post on doing this in OPNSense has been pretty popular so let's do this with UniFi! You will need a UniFi gateway and the Network application running version 9 or higher.
DNS is a critical service for the Internet. Not only every webpage you visit but even much of the content on each website requires a DNS lookup to find the server where the content is located. DNS by default is also not encrypted, allowing anyone in your traffic path such as your ISP to see every web page you visit even if you are not using their DNS servers. Because of this, it has become one way of tracking people online. We do have a few options to at least cut our ISP off from some of our data. We could use a VPN but they are not always ideal. So today I am going to focus on DNS over TLS. TLS(Transport Layer Security) is the same encryption used to protect websites and also allows us to verify that the server we are talking to is who we think it is.
In network server open the settings
Near the bottom lets verify our Network version, 9 adds some new features including a zone-based firewall that we will be using.
Now that we have verified we are on version 9 Lets head to the security menu on the same page
This will show us the zone-based Firewall that we will be using in just a bit, first go to the protection tab on top.
Under protection scroll down to Encrypted DNS, auto works but Predefined gives us a large list of Secure public DNS services to choose from so let's do that
Click in the box or edit to bring up a list of preconfigured secure DNS servers. Once you have selected your preferred servers save
This will set the DNS server on the UniFi gateway to use secure DNS, which will be used by default for all of your networks. This will not stop software or IOT devices from just using their own insecure DNS settings though for that we need to create some firewall policy
Go back to the Firewall tab
Select Create Policy at the bottom
Policy
- Name: Give it a meaningful name
- Source Zone: Internal is the default, if you have more than one internal zone create a policy in each
- Action: Block
- Destination Zone: External
- Service: DNS
Now we have created some policy to block unsecured DNS requests from leaving our network let's check our logs to see what is trying to go around our DNS settings
System Logs very bottom left
The triggers tab is our Firewall policy log
Go figure. Google IOT devices trying to use Google DNS directly will likely see different results depending on what you have on your network.
No comments:
Post a Comment