NAT mode SSID feature to prevent DNS work-around

Hello,

Im actually offering filtered Internet access for my customers using specific DNS.

I need to create a rule that will block any DNS requests that doens’t match with the IPs of my DNS servers.

The “DNS override” allows the acces point to intercept the Wi-Fi user terminal DNS request, and force it to go to another DNS than the one requested by the client.

Meraki have already implemented it with the NAT mode SSID;

“When an SSID is configured in “NAT mode”, wireless clients will point to the access point (AP) as their DNS server. The AP then acts as a DNS proxy, and will forward clients’ DNS queries to its configured DNS server.”

This is typically used to forward NAT mode SSID clients to a DNS server with custom content filtering.

Configuring Custom DNS for an SSID in NAT Mode - Cisco Meraki

There is no way to have the same thing implemented on Cambium products ?

Thanks in advance.

Regards,

Thomas

@Thomas_Conti

You can do it in Cambium APs too as below:

  1. Configure VLAN Interface

  2. Configure DHCP Pool for above VLAN interface with your local DNS servers

  3. Configure above VLAN in WLAN, so that clients get IP and DNS configured in above DHCP pool

Hope query is answered.

Thank you.

1 Like

Hello @CAM_TSK

Unfortunately, we can not block any specifics DNS adresses using this method.

We can only force the DNS proxy by using this option, but that doesn’t block a third adresses of DNS who can be set on the newest android devices.

I deliver DNS adresses using DHCP Pool

But i cannot block the user if he using a manually configured DNS adresses.

Currently I have not found a workaround for this.

Regards,

Thomas

@Thomas_Conti

If you are aware of IP of DNS servers, please configure IP ACL in WLAN profiel as below:

Please let me know if this works for you.

Thank you.

I wonder if content-filtering via DNS is going to become less useful in the future, with the rise of DNS-over-HTTPS, VPNs, and so on.

1 Like