If only the internal DNS server is allowed to reach public port 53, does that also give employee computers internet access?

DNS resolution and web access are separate traffic flows. Allowing recursive DNS does not automatically open ports 80 or 443, but endpoint gateways, proxies, DoH, and other egress paths must still be checked.

1. Conclusion and scope

Prepare the client and server versions, domain membership, DNS and gateway settings, network location, full error text, event timestamps, and recent changes. The reserved example domain corp.example is used throughout; no customer domain, IP address, account, or device identifier is included.

This issue falls under Network, VPN and firewall. Logs and configuration can often be collected remotely first. Bulk permission changes, switch-path work, production cutovers, and recovery drills should use a controlled implementation window.

2. Symptoms and environment

• Capture the complete error text, event-log timestamp, and failed action rather than relying on a verbal description.
• Record the affected scope, first occurrence, reproducibility, and whether the result changes on another subnet.
• If a firewall rule is open but the application still fails, inspect the server gateway, policy routing, session table, NAT, and path symmetry.

3. Troubleshooting sequence

1. Allowing only the internal DNS server to query external resolvers does not give employee endpoints internet access; client routing and egress policies remain separate controls.
2. Allowing only the DNS server to reach public port 53 does not grant endpoints HTTP or HTTPS access. Confirm endpoint gateway, firewall policy, and proxy egress remain denied.
3. If internet access uses an explicit proxy, ensure endpoints cannot bypass it and restrict destinations, methods, identities, and log retention.
4. Software updates on an isolated network should use least-privilege egress: defined source, destination FQDN/address, ports, schedule, logging, and a default deny.
5. FQDN-based update rules must account for redirects, CDNs, certificate validation, time synchronisation, and vendor domain changes rather than a single hostname.
6. Change one variable at a time and export the current configuration before making changes.

nslookup update.vendor.example
Test-NetConnection public.example -Port 443
netsh winhttp show proxy

4. Safe remediation and rollout

Start with read-only queries, configuration exports, and one-system validation. Once the root cause is confirmed, define the target scope, change window, and rollback method. Validate policy changes with a test source and a limited time window, record rule hits and sessions, keep a rollback export, and expand scope gradually.

• Software updates on an isolated network should use least-privilege egress: defined source, destination FQDN/address, ports, schedule, logging, and a default deny.
• FQDN-based update rules must account for redirects, CDNs, certificate validation, time synchronisation, and vendor domain changes rather than a single hostname.
• Change one variable at a time and export the current configuration before making changes.

5. Validation, rollback and common mistakes

Do not stop when the service works once. Revalidate with the user workflow, logs, a restart or fresh sign-in, another network location where relevant, and the next policy or backup cycle.

Validation and rollback checks

• Change one variable at a time and export the current configuration before making changes.
• A connected VPN only proves that the tunnel is established; client routes, internal DNS, access control, server firewalls, and the return path must also be correct.
• Inspect WinHTTP, user proxy settings, PAC files, and security-agent proxy remnants; browser access does not prove that Office or system services use the same path.

Common mistakes to avoid

• Assuming the network is healthy because the VPN status says connected.
• Using any-destination or any-service rules instead of least privilege.
• Changing client routes without checking the server return path and firewall sessions.