Thursday, December 18, 2025

DNS Lockdown on Unifi UDM Pro and AD

DNS Lockdown on Unifi UDM Pro and AD

Block DNS over HTTPS and force use of UDM-defined DNS server exclusively

Updated 19-Dec-2025.  Version: Unifi OS 4.4.6, Network 10.0.162

Part 1. Unifi Configuration

Step 1: Cybersecure settings

    Cybersecure > Protection

        Encrypted DNS: Predefined

        Select Cloudflare-family and NextDNS

    Cybersecure > Traffic Logging

        Flow Logging: All

        Check Gateway DNS

        Check Unifi Services

    Cybersecure > Content Filter

        Select Default Content Filter

        To the Blocklist, add these domains:

            edge.microsoft.com

            dns.google

            chrome.cloudflare-dns.com

            doh.opendns.com

            cloudflare-dns.com

            mozilla.cloudflare-dns.com

            dns.quad9.net

Step 2: Create List of domains to block

    Settings > Overview > Network Lists

        Name: DoH Bypass IPs

        Add these addresses:

            1.1.1.1

            1.0.0.1

            1.1.1.2

            1.0.0.2

            1.1.1.3

            1.0.0.3

            8.8.8.8

            8.8.4.4

            208.67.222.222

            208.67.220.220

            9.9.9.9

            149.112.112.112


Step 3: Firewall Rules

    Settings > Policy Table

        1. Block QUIC

            Source: Internal/Any

            Action: Block

            Destination: External/Any/Port=HTTPS (443)

            IP Version=Both, Protocol=UDP

        2. Block Port 853 (DNS over TLS)

            Source: Internal/Any

            Action: Block

            Dest: Any

            Port: Specific: DNS-TLS (853)

            IP: Both

            Protocol: All

        3. Block IPv6 Out

            Source: Internal/Any

            Action: Block

            Dest: External/Any

            Port: Any

            IP Version: IPv6

        4. Block Canary Domain

            Source: Internal/Any

            Action: Block

            Dest: Domain

            Domain name: use-application-dns.net

            Port: Any

        5. Block DoH Providers

            Source: Internal/Any

            Action: Block

            Dest: External / IP / List (select list of IPs you created above)

            Port: Any

        6. Allow ICMP Ping (so can still ping 8.8.8.8 for testing)

            Source: Internal/Any

            Action: Allow

            Dest: Any

            IP Version: IPv4

            Protocol: Custom / ICMP / Any

            

Part 2. Group Policy / AD Configuration. Disable DoH in Edge.

Step 1: Login to your DC and quit GPMC

Step 2: Get Edge Admin templates for AD and install on your DC

Go to the Edge for Business Page.

Scroll down to the "Windows 64-bit" download button.

Under that, click on the "Download Windows 64-bit policy"

It is a .cab file. Open it. Inside is a .zip file.  Open that.

Put the .admx files in C:\Windows\PolicyDefinitions.  If you have more than one DC, Google where to put the files so all of your DCs can find them.

Put the .adml files in C:\Windows\PolicyDefinitions\en-US

Step 3: Start GPMC

Create a new policy, named "Block DNS over HTTPS"

Go to Computer config > Policies > Administrative Templates > Microsoft Edge

Control the Mode of DNS-over-HTTPS: Enabled / "Disable DNS-over-HTTPS"

Part 3: Test

Go to https://test.nextdns.io (should not show anything about DoH)

Go to https://1.1.1.1/help (should fail completely)



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DNS Lockdown on Unifi UDM Pro and AD

DNS Lockdown on Unifi UDM Pro and AD Block DNS over HTTPS and force use of UDM-defined DNS server exclusively Updated 19-Dec-2025.  Version:...