Sequence of events - DNS resolution or port blocking?

[EnthusiastXYZ]

What is the rough sequence of events when a router client is trying to access an IP address? If a client is trying to access domain google.com over port 80 and both google.com domain + outbound port 80 are blocked, then what happens first - domain resolution/blocking or port access/blocking?

 

[bman212121]

I'll use an analogy for you. Let's say I want to go to McDonalds. What step would be first, figuring out where it's located or going through the drive thru?

If you don't know what IP to query port 80 on, you'll need to do the lookup for that first. All traffic works off IP, so any name resolution has to occur before you can actually send data to the location. So in your case if your name resolution fails to resolve, then the second event would never even occur because you don't know where to go. Back to the analogy you can't go through the drive thru if you can't find the building.

 

[EnthusiastXYZ]

That's what I was thinking, but I set all devices to use my local DNS server, which I set (as a temporary test) to block all addresses. The log of that DNS server did show that all query attempts were blocked. If all query attempts were blocked and querying was taking place before using whichever port, then the router log would not show any dropped ports, but it did... How was that possible? Maybe some devices were trying to directly connect to whichever DNS server, skipping my local DNS server, but outbound port 53 was blocked, and the router reported all outbound packets dropped for port 80 (HTTP), none for port 53 (plaintext DNS). Why would those devices try to use port 80 if they weren't able to resolve the IP address over local DNS server (which had all domains blocked)?

 

[Nicklebon]

Google dns over tls and dns over https ... and maybe ask Ratched to give a basic networking seminar to the ward.

 

[mwarps]

Some browsers will ignore local DNS settings.

 

[EnthusiastXYZ]

Google dns over tls and dns over https ... and maybe ask Ratched to give a basic networking seminar to the ward.

My local DNS server already uses DNS-over-HTTPS via TCP port 443 SDNS stamp address that does not require boostrapping via UDP port 53. Outbound port 53 is blocked completely to prevent any plaintext DNS resolution.

 

[daveeversden]

DNS doesn't use port 80.

Google default to HTTPS 443 these days I believe.

To answer your question, your local DNS server would provide the client with the IP address for Google.com and the client would then attempt to connect to that IP address.

You have numerous mechanisms to restrict or control this behaviour at different stages.

1. The local DNS proxy - for example a router - could block access to google.com within web content filtering functionality. If DNS does not return an IP, client doesn't connect.
2. A traffic-aware edge firewall (such as a Cisco Meraki Firewall etc) could block this traffic even if not serving DNS.
3. An external recursive DNS service such as Cisco Umbrella could block access to Google.com
4. If you know the IP address for Google (not likely because it will change) you could block that at firewall level.
5. You could block specific port(s) but in order to be targetted that brings us back to point 4. Realistically if you block port 80 or or all traffic to that IP it's the same result from a browsing perspective.

As to what measures are appropriate really depend on your environment. If clients can change their own DNS servers then you'll likely want to use 2 or combine 3 with firewall rules to prevent the use of other recursive DNS servers.