DNS Lockdown on Unifi UDM Pro and AD

Block DNS over HTTPS and force use of UDM-defined DNS server exclusively

Updated 19-Dec-2025.  Version: Unifi OS 4.4.6, Network 10.0.162

Part 1. Unifi Configuration

Step 1: Cybersecure settings

    Cybersecure > Protection

        Encrypted DNS: Predefined

        Select Cloudflare-family and NextDNS

    Cybersecure > Traffic Logging

        Flow Logging: All

        Check Gateway DNS

        Check Unifi Services

    Cybersecure > Content Filter

        Select Default Content Filter

        To the Blocklist, add these domains:

            edge.microsoft.com

            dns.google

            chrome.cloudflare-dns.com

            doh.opendns.com

            cloudflare-dns.com

            mozilla.cloudflare-dns.com

            dns.quad9.net

Step 2: Create List of domains to block

    Settings > Overview > Network Lists

        Name: DoH Bypass IPs

        Add these addresses:

            1.1.1.1

            1.0.0.1

            1.1.1.2

            1.0.0.2

            1.1.1.3

            1.0.0.3

            8.8.8.8

            8.8.4.4

            208.67.222.222

            208.67.220.220

            9.9.9.9

            149.112.112.112

Step 3: Firewall Rules

    Settings > Policy Table

        1. Block QUIC

            Source: Internal/Any

            Action: Block

            Destination: External/Any/Port=HTTPS (443)

            IP Version=Both, Protocol=UDP

        2. Block Port 853 (DNS over TLS)

            Source: Internal/Any

            Action: Block

            Dest: Any

            Port: Specific: DNS-TLS (853)

            IP: Both

            Protocol: All

        3. Block IPv6 Out

            Source: Internal/Any

            Action: Block

            Dest: External/Any

            Port: Any

            IP Version: IPv6

        4. Block Canary Domain

            Source: Internal/Any

            Action: Block

            Dest: Domain

            Domain name: use-application-dns.net

            Port: Any

        5. Block DoH Providers

            Source: Internal/Any

            Action: Block

            Dest: External / IP / List (select list of IPs you created above)

            Port: Any

        6. Allow ICMP Ping (so can still ping 8.8.8.8 for testing)

            Source: Internal/Any

            Action: Allow

            Dest: Any

            IP Version: IPv4

            Protocol: Custom / ICMP / Any

            

Part 2. Group Policy / AD Configuration. Disable DoH in Edge.

Step 1: Login to your DC and quit GPMC

Step 2: Get Edge Admin templates for AD and install on your DC

Go to the Edge for Business Page.

Scroll down to the "Windows 64-bit" download button.

Under that, click on the "Download Windows 64-bit policy"

It is a .cab file. Open it. Inside is a .zip file.  Open that.

Put the .admx files in C:\Windows\PolicyDefinitions.  If you have more than one DC, Google where to put the files so all of your DCs can find them.

Put the .adml files in C:\Windows\PolicyDefinitions\en-US

Step 3: Start GPMC

Create a new policy, named "Block DNS over HTTPS"

Go to Computer config > Policies > Administrative Templates > Microsoft Edge

Control the Mode of DNS-over-HTTPS: Enabled / "Disable DNS-over-HTTPS"

Part 3: Test

Go to https://test.nextdns.io (should not show anything about DoH)

Go to https://1.1.1.1/help (should fail completely)

MSP Open Service Initiative, OpenUEM, and MeshCentral

The Open Service Initiative is all about providing TRULY free, open-source, tools and complete platforms to MSPs. AGPLv3, MIT, and Apache 2 licensed tooling.

https://github.com/Open-Service-Initiative

OpenUEM is an Open-Source Unified Endpoint Manager that is multi-tenant, self-hosted and lets you manage your IT assets thanks to its agents

https://openuem.eu/

The open source, multi-platform, self-hosted, feature packed web site for remote device management. 

https://meshcentral.com/

Penpot open source website prototyping

Penpot is the open source alternative to Figma.  (Figma is a cloud-based design and prototyping tool for websites)

https://github.com/penpot/penpot

Video editing Software

IVS Edit has a free and pro version. The Free version is feature-rich and probably enough for most people.

Powershell

Connect to your 365 instance.

You have to do connect first, always.  Powershell ISE can't be used.  If you try you'll get a "A window handle must be configured" error.  Use regular Powershell.

Here's an example of connecting, then removing a user's auto-reply.

PS C:\> import-module exchangeonlinemanagement

PS C:\> connect-exchangeonline -UserPrincipalName admin@contoso.com

PS C:\>Get-MailboxAutoReplyConfiguration -Identity user@contoso.com

PS C:\> Set-MailboxAutoReplyConfiguration -identity user@contoso.com -AutoReplyState disabled
PS C:\> Set-MailboxAutoReplyConfiguration -identity user@contoso.com -ExternalMessage $null
PS C:\> Set-MailboxAutoReplyConfiguration -identity user@contoso.com -internalMessage $null

 

 

DiskGenius and Hasleo Backup

DiskGenius is an all-in-one utility for disk partition management, OS migration and file recovery.

https://www.diskgenius.com/

Hasleo offers completely free backup and cloning. This free one even does Windows Server, which is rare.

https://www.easyuefi.com/

Network apps: Network Notepad, Glasswire

Network Notepad. For Creating Network diagrams.   Free and Paid Versions.  Unique Features.

Glasswire. Personal Firewall and Network Monitor. Great visibility into the network activity on your PC, even with the free version.