I’ve been using the DNS Filtering to filter out certain websites, some using categories, others using specific domain lists (using in-list). In the logs I can see them in the “BLOCKED” category, however when I actually went to test one of them, I was still being able to access them. I am using the DNS configuration on a Unifi UDM Pro, either with IPv4 configured on the network with custom DNS servers or with the Encrypted DNS Option using a custom DNS Stamp to add my DoH endpoint.
Is the DNS location at Zero Trust dashboard using the same fixed? public static IP address or you’ve got DHCP from your ISP?, while using the assigned IPv4/IPv6 DNS server(s) IP address from your Zero Trust team?
It was blocked by Cloudflare DNS in the screenshot. It’s possible your browser may have a different resolver specified as a fallback. From the command line does a DNS lookup return valid results? Are you blocked in a different browser?
I am using a Public static IP (with UDM Pro as the DNS server for the local network) from the ISP and tried with either IPv4 or DoH. The location is matched in the logs
Enforcing Secure DNS in the browser from the organization seems to bring in a loop where the browser won’t access the websites due to: ERR_CERT_AUTHORITY_INVALID.
The problem is that I have unmanaged devices where I cannot enforce the Secure DNS, hence relying on Gateway DNS to make sure the requests are blocked.
The original question was about catalog.gamepass.com which was shown as blocked in the log screenshot. The 2 subsequent queries are for xbox.com and return identical results for both DOH and normal DNS queries. I get the same results for those, so they aren’t being blocked. It’s unclear from the information provided if they are expected to be or not.
Correct.
This only works if a device uses your DNS servers. Since a device is unmanaged you can’t guarantee that. It may work in some/most circumstances, but there’s nothing that prevents a user from changing their DNS servers to 8.8.8.8 or configuring a different resolver in applications which support it.
I have a UDM at home and as much as I enjoy seeing just how many DNS queries my Nest devices make on a daily basis in my zero trust logs, I bypass the from DNS server configured on my UDM and various routers with my work machine pretty much all the time.
