Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 22113 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS traffic from SSL VPN clients allowed any DNS server

Mokaz

 Hi all,

While testing some stuff on travel, I've discovered that my SSL VPN connected client can make DNS requests to ANY dns server (home ISP router, Google public DNS etc).
That's a little weird to me because my Network Protection --> Firewall --> Rules are completely exempt of DNS based rules, i rely on my UTM DNS server which forwards requests to my Home ISP router.

I've been under the impression that with no matching rules, traffic should be denied. Am i wrong here?

Also, i've verified from a Home LAN based host via RDP, the LAN hosts have no DNS access to any other DNS server than my UTM dns server. any other attempts at UDP 53 is dropped. The live logs show Default DROP hit for such traffic, although via the SSL VPN it passes through..

Any ideas are welcome.

Cheers,
m.



This thread was automatically locked due to age.
Parents
  • 0

    What does your vpn profile specify fot local networks?   It sounds like you have a split tunnel, and the unwantrd traffic is bypaasing the tunnel completely.

    I also recommend assuming nothing sbout default rules.  See my architecture document in the Wiki.

  • 0 in reply to DouglasFoster

    Hi there,

    So i've sorted myself out. And to reply to your question, full tunnel configuration, no split tunnel and full DNS leak avoidance (local ISP DNS replaced with bogus information, only DNS available = UTM).

    It turns out the the UTM SSLVPN setup propose you per default to set the firewall rules automatically, allowing SSLVPN user/groups to any / any as rule number 1 on the FW. So of course, not any other rules were processed as all the SSLVPN clients traffic hit that rule 1st so no more rules processing.

    So i've simply reconfigured the SSLVPN server without the automatic rules and all the SSLVPN clients traffic is now fully regulated by my inserted rules. Also, if no match = default drop, so my assumptions were correct.

    Thanks,
    Regards,
    m. 

  • 0 in reply to Mokaz

    HI,

    I have a site 2 site SSL full tunnel.

    Site is connected is working

    Let say from site B when go to whatsmyip i get the ip from site A and this is a good thing.

    But when do a DNSLEAK test i still got DNS from site B, this is not good.

    When do a dnsleak test form site a i got the correct dns isp.

     

    How to fix this.

    There a services i want to reach from site B over the ip and dns from site A.

     

    I need help plz

     

    gritz

  • 0 in reply to xianx x

    Please compare your configuration to DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
Unfiltered HTML