Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
874
Views
4
Helpful
9
Replies

DNS NAT translation not working for newer MacOS

Go to solution
tato386
Level 6
Level 6

‎09-29-2023 06:19 AM

My NAT policies have DNS translation enabled so that queries resolve to internal private IPs of servers when available.  This works fine for PC users but I have noticed that Macs running Ventura and newer OS resolve the public IP.  On the VLAN with the problem I am using Cisco Umbrella OpenDNS servers.  I believe the Macs are doing encrypted DNS with the OpenDNS servers and the FTD (v7.1) only translates unencrypted DNS queries.  I am assuming that decrypting these DNS queries is not an option and/or fairly difficult but is there should be an easy way to block Macs from negotiating encrypted DNS and having them fall back to legacy DNS?  The solution needs to be implemented at the firewall level since these are unmanaged Macs.

TIA,

Diego 

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
tato386
Level 6
Level 6

‎11-10-2023 02:24 PM

So what happened is that I added blocks for TCP/443 to all the popular DNS servers.  As I did that the Mac kept switching to other IPs so I added blocks to those as well and eventually I guess the Mac ran out of DNS servers to send TCP/443 packets to.  Here is my current list of IPs I block TCP/443 to:

Umbrella: 208.67.220.220, 208.67.222.222, 146.112.41.2, 146.112.41.5

Google: 8.8.8.8, 8.8.4.4, 146.112.61.106

Apple: 17.253.2.117

BoltDNS: 3.161.225.92, 3.161.225.120

  

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marius Gunnerud
VIP
VIP

‎09-29-2023 06:45 AM

Well this is quite odd.  Are the PCs and the Mac's on the same subnet?  If you do an nslookup for the domain and specify the internal DNS server, is it successful?

--
Please remember to select a correct answer and rate helpful posts

Go to solution
tato386
Level 6
Level 6
In response to Marius Gunnerud

‎09-29-2023 07:17 AM

Yes, they are on the same network.  This drove me crazy for a while.  NSLOOKUP works because I suppose it isn't using encrypted DNS.

But ping and web browsing get public IP and fail.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-29-2023 06:50 AM

Why you dont bypass the dns (encrypted) request from ftd policy.

Here even if it encrypt it will not drop by ftd.

Go to solution
tato386
Level 6
Level 6
In response to MHM Cisco World

‎09-29-2023 07:20 AM

That is what I am trying to do but I believe DoH uses 443 which I can't block and I can't block the OpenDNS IP addresses either.  I guess maybe a rule to block 443 to OpenDNS and/or rule to allow *only* TCP/UDP 53 to the OpenDNS IPs might work.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to tato386

‎10-02-2023 06:00 AM

What you could do is let the hosts resolve the domain to the public IP using their encrypted DNS, then we know that users will be using the public IP.  This way you can use Destination NAT and translate the public IP of the server to the private IP.  Now, if the Mac and server are on the same subnet, you will have an issue with asynchronous routing to sort out.  If not then all should be good.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
tato386
Level 6
Level 6
In response to Marius Gunnerud

‎10-02-2023 10:28 AM

Not sure I wanna add Destination NAT to the equation at this point.  My rule to block everything but TCP/UDP 53 towards the Umbrella servers is not getting any hits.  Maybe I need to get some packet captures from these Macs so I can pinpoint the behavior and create a rule that matches whatever they are doing and block it.  I believe I read somewhere that they might be using their own DNS servers and ignoring the DHCP assigned DNS.

0 Helpful

Go to solution
tato386
Level 6
Level 6

‎10-03-2023 01:26 PM

After analyzing traffic I see the Macs using 146.112.41.2 for DNS over HTTP (tcp/443).  And a quick google search shows that these are in fact the Umbrella servers.  Cisco Umbrella Enhances Support of DNS Over HTTPS - Cisco Umbrella

I guess some logic in newer Mac OS say that if DHCP gives me the Umbrella 208 IPs I am going to use the 146 equivalents?  I am simply going to block all traffic to 146.112.41.2 and .3 and see how the Macs respond.

 

0 Helpful

Go to solution
adamwin
Cisco Employee
Cisco Employee
In response to tato386

‎10-18-2023 03:31 PM

The Umbrella endpoint agent does not utilize DoH. The 146.112.41.2 address is definitely our DoH server though. It's possible that someone has their browser or OS configured to use doh.umbrella.com or these IP addresses. 

Blocking 208.67.22x.22x and 146.112.41.x on UDP and TCP 443 should force devices on the network to fall back to plaintext DNS on UDP 53, which your network device should be able to inspect and NAT. 

0 Helpful

Go to solution
tato386
Level 6
Level 6

‎11-10-2023 02:24 PM

So what happened is that I added blocks for TCP/443 to all the popular DNS servers.  As I did that the Mac kept switching to other IPs so I added blocks to those as well and eventually I guess the Mac ran out of DNS servers to send TCP/443 packets to.  Here is my current list of IPs I block TCP/443 to:

Umbrella: 208.67.220.220, 208.67.222.222, 146.112.41.2, 146.112.41.5

Google: 8.8.8.8, 8.8.4.4, 146.112.61.106

Apple: 17.253.2.117

BoltDNS: 3.161.225.92, 3.161.225.120

  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card