Allow Public DNS resolution | Voters

Allow Public DNS resolution

Karik Hill

Similar to what Cisco Umbrella allows. Right now, DNSfilter only takes DNS requests from registered IPs. This can have bad results when IPs change. I'm not expecting a full security solution for unregistered IPs, but still having DNS resolve would be nice.

February 7, 2022

Adam Bulgatz

Maybe DNS filter could have a per-IP time limit for unregistered IPs? Maybe 12 hours. This would fix some issues with DDNS and let us for example register a new Xfinity cable modem (by going to register.xfinity.com) without changing DNS servers.

Brian

We also have a need for this, we have some sites where we use dynamic DNS with a custom domain name, when the IP changes we get in a catch 22 where we can't resolve DNS until the IP change is registered, and we can't change the IP registered until we can resolve DNS.

Bruce

Brian: Does Whitelisting the Dynamic DNS Domain work?

Brian

Bruce: I haven't tried but I don't see how it could. The whitelist only applies after the service knows it is our account... but I need this to work so that the system knows it is our account. The only solution we found is to set the router DNS to a public server but set the internal DHCP to give out the direct DNS IPs if there is no AD server to relay it through. That means no internal server means no caching, not the end of the world but a PITA.

Mikey @DNSFilter

Hi Brian, you are correct. Without DNS resolution the DDNS update would fail and connections to DNSFilter would not be authorized. We do have most DDNS domains coded to always be allowed wether the IP is authorized or not. What DDNS service do you currently utilize so we can make sure their update domains are present?

Brian

Mikey @DNSFilter: We use dyn.com's service but with a custom domain, once you get into larger numbers of domains its cheaper and easier to do it this way. I'm happy to give you the domain we use if your willing to add but it would be specific to us.

Daniel Oquendo

I feel the need to ask this. Are you asking for a public DNS resolution that doesn't have any of the features except 1 or 2 things (i.e. No Malware Site blocks) and just let it auto anything that is also anyone can use unrestricted?

Karik Hill

Daniel Oquendo: Yes, although I guess the next question is "how do we know a site is in this mode?" It would need to be coupled with a "Site Alert" of some sort where we get a dashboard alert if no traffic from site / relay (RCs that belong to site excluded) over 24 hours or something similar. that brings up another related point, I notice sites stay green even if the only traffic behind them is RC only. I believe that this should not be the case.