What is DNS Security and how to create DNS security rules
Meter offers DNS security as an included feature in your Meter subscription; it can be used at no additional cost.
DNS security allows you to deny or allow certain categories, domains, or applications.
By default, DNS security does not deny anything. If you would like to add denies for your organization, rules can be created under Firewall > DNS security. Then click on ‘Add DNS security rule’.
This will expand the menu on the right-hand side where you can create your first rule.
Enabled - Toggle the rule on or off.
Name - Name the rule something meaningful to you.
Action - decide to allow or deny your selection.
VLAN - pick which VLAN you want this rule to apply to.
Rule type - Category, domain or application.
In this example, we deny the ‘Malware’ category on the private VLAN.
Once the rule is added, you will see the rule listed in the DNS security window.
When and how to use an ‘Allow’ rule
In certain cases, domains or applications may be miscategorized and denied when that is not the intent. If you come across one of these, please report it to Meter support so we can work on correcting the categorization.
Until the categorization issue is resolved, you can use an ‘Allow’ rule to ensure that users in your organization are not denied.
Using the above example - let's say ‘https://www.malwarebytes.com/’ is mistakenly denied. A rule to permit this traffic would look like the one below.
Order of rules
Rules are read line-by-line and a rule is selected at the first match. When adding an ‘Allow’ rule, ensure it is listed before any ‘Deny’ rule. This will ensure that the ‘Allow’ rule is read before the ‘Deny’ rule so traffic is not denied. Using the above example here is what the list would look like:
Use the arrows on the left-hand side to re-order the rules in your list.
Wildcard Usage
The '*' character can be used to Allow or Deny all subdomains. For example, to allow all meter.com subdomains the domain entered would look like this:
*.meter.com
Identifying a Domain Category
When creating a domain rule, the category will be identified in the in the 'Details' section.
An Important Note about DNS Security
Once you add a DNS security rule for a VLAN, the Meter Security Appliance will automatically begin denying any DNS lookups to any other DNS server, other than the DNS server running the Meter Security Appliance for that VLAN.
If you have any devices using a static DNS entry such as ‘8.8.8.8’, DNS lookups will no longer function. This is the intended behavior to prevent client devices from getting around the DNS security rules.
If you need these to continue to function - please contact Meter Support for assistance in creating the required firewall rules.
Comments
0 comments
Please sign in to leave a comment.