AnyDesk is a Remote Desktop solution which has become very popular in the last two years. It is overtaking TeamViewer in popularity because AnyDesk is currently a lot more generous with how much activity they allow on the free version. However, it is not always desirable to have remote access software such as AnyDesk running on your network. This article explains a number of measures to block AnyDesk from connecting out to the big wide world.

Ports used by AnyDesk

Like most hosted remote-access applications these days, AnyDesk connects out on ports TCP 80, TCP 443, and also one unique port – TCP 6568.

Internally, it uses UDP ports 50001-50003 for multicasting to allow discovery on your local network.

No special outbound rules or port forwarding are required to make AnyDesk work – so long as your network administrator hasn’t followed the below instructions to make life difficult for AnyDesk.

How to Block AnyDesk On Your Network

If you want to block AnyDesk on your network, there are a few measures you can put in place:

  1. Create local firewall rules using Windows Firewall to block outgoing connections from AnyDesk.exe
  2. Block the resolution of DNS records on the domain. If you run your own DNS server (such as an Active Directory server) then this is easy:
    1. Open your DNS Management Console
    2. Create a top-level record for ‘‘
    3. Do nothing else. By pointing this record nowhere you will stop connections to this domain and all of it’s subdomains
  3. Block in PiHole – this is another way to use DNS blocking to stop AnyDesk from connecting out via your network
  4. Ensure the only DNS connections allowed on your network are to your own internal DNS servers (which contain the above dummy-record). This removes the possibility of the AnyDesk client checking DNS records against their own servers, instead of yours. To do so, add a new outgoing firewall rule to disallow TCP & UDP port 53 from all source IP addresses, EXCEPT the addresses of your own DNS servers.
  5. You can utilise Group Policy to deny AnyDesk.exe from running. To do this, create a new Software Restriction Policy with a Hash Rule for AnyDesk.exe.
  6. If you have a firewall with Deep Packet Exception, you can enable the in-built rules to block AnyDesk. These firewalls often release new definition updates as the situation changes, so a lot of the hard work is handled for you.
  7. Block outgoing TCP Port 6568. You can create a DENY rule in your firewall to do this.

AnyDesk does not have any fixed IP addresses – they simply use IPs from cloud providers, and do not publish a list, so blocking IPs will be a game of whack-a-mole. However, these above seven steps should allow you to be successful in blocking AnyDesk from connecting out to the internet.