2 Replies Latest reply on Feb 18, 2016 3:39 AM by anas 14

    Blocking DNS Resolving On Clients'

    anas 14

      Hello All,

       

      We want to block DNS nslookup queries for all external websites on our clients' machines and let the proxy do the resolving for external website to avoid DNS changers queries, anything can be done on our proxy (MWG)?

       

      Thanks

      Anas

        • 1. Re: Blocking DNS Resolving On Clients'
          asabban

          Hello,

           

          is MWG deployed in transparent or explicit proxy mode?

           

          If MWG is deployed in transparent mode the client performs all DNS queries and simply tries to connect to the IP address - which is then intercepted by MWG. If you are using a transparent mode you cannot forbid DNS on the clients.

           

          If MWG is deployed in explicit proxy mode the proxy can make all the DNS lookups for requested web sites. In such a case the client is talking directly to the name server, rather than sending DNS queries through MWG, so you cannot block them on MWG side but you have to restrict them on a firewall.

           

          Most likely it doesn't make sense to completely block DNS since you most likely require DNS for internal communication (such as Active Directory, etc.). Probably it is better to configure the client to use a name server which is able to resolve all internal resources but does not provide a forwarder to lookup external resources, such as web sites.

           

          On MWG you will need to configure a name server that can do DNS lookups for external web sites of course. If you are accessing internal resources as well or use authentication such as NTLM MWG will also have to lookup internal resources.

           

          Best,

          Andre

          • 2. Re: Blocking DNS Resolving On Clients'
            anas 14

            Many Thanks asabban for your prompt replay,

             

            Actually MWG is deployed as a direct proxy,

            So the modifications will be done  on our firewalls and DNSs, make sense.

             

            Thanks

            Anas