Savvy users may try to modify their DNS settings to circumvent the environment’s default DNS settings. Most routers and firewalls will allow you to force all DNS traffic over port 53 on the router, thus requiring everyone on the network to use the DNS settings defined on the router, the Lumu DNS servers or your Virtual Appliances.
Alternately, create a firewall rule that allows DNS (TCP/UDP) to go only to Lumu servers and restricts all other DNS traffic to any other IPs.
Essentially, add the following filter or rule to the firewall located at the edge of the network:
The first rule trumps the second rule; therefore, any requests going to Lumu (or to a Virtual Appliance) will be allowed, and any DNS requests to any other IP will be blocked.
Depending on your firewall configuration interface, you may need to configure a separate rule for each of these protocols or one rule that covers both of them. The rule can be applied on either the firewall or the router, but normally is best placed on the device located at the network edge. A similar rule may be applied to software firewalls installed on a workstation as well, such as the built-in firewall on Windows or macOS.