DNS resolution over VPN issue when LLMNR is disabled - Sophos Conect 2.3

Hi SteffenDutschke Thank you for reaching out to the Sophos community team. Below are my inputs and suggestions around this:

LLMNR is used as a fallback mechanism when traditional DNS resolution fails. If a device cannot resolve a hostname through DNS, it may use LLMNR to try and resolve the name locally within the same subnet.

Based on that I am assuming the DNS resolution that is failing for you is maybe you are referring to internal or local domain traffic! Please correct me if this is not the correct understanding on this or please elaborate DNS is failing for which domains, like internal or external or both of them?

If this is getting observed with a Windows OS machine then it uses InterfaceMetric value to forward traffic if multiple interfaces are available with DNS settings configured!

So it is worth checking below and confirming the status to narrow down the situation:

1)Please keep LLMNR enabled and do not connect Sophos connect on the end machine.

With this setup, Browse the domain that is failing when you are connected via Sophos connect VPN and capture the Wireshark on interface handling traffic to see/confirm if is it getting resolved via DNS/LLMNR.

2)Please keep LLMNR disabled and connect Sophos connect on the end machine.

With this setup, Browse the domain that is failing when you are connected via Sophos connect VPN and capture the Wireshark on the available LAN/WiFi, tunnel adapter to see/confirm whether is it getting resolved via DNS/LLMNR and via which Interface!

Note: Due to InterfaceMetric value if internal domain queries are getting forwarded to the DNS server of the Tunnel TAP adapter then they are not able to resolve anything in your domain, and instead it will fall back on LLMNR to resolve internal hosts.

Based on the above comparison if your investigation and findings confirm that it is Sophos Connect that is breaking it then I would suggest an Open Support case to confirm and validate more on this OR If your findings confirm any different results and conclude the issue at your end, please feel free to share those latest finding with us here for community user reference. 

Hi Vishal_R,

To clarify, we have been using the Sophos Connect Client for several years for remote access via SSL or IPsec. The connection is established in every case. For security reasons, we recently deactivated LLMNR on the Windows PCs in our domain using GPO. Since then, DNS resolution for these clients through the VPN no longer works for our internal addresses. This only affects traffic through the tunnel; external DNS resolution is not affected. The DNS servers are specified via VPN and can also be reached (in the same subnet as the VPN or in other subnets behind the tunnel). Using nslookup, the names are resolved correctly by all DNS servers. However, if I try to reach an address using a hostname or FQDN, I get the answer that the name cannot be resolved. Access via IP works immediately. To work around the error, I re-enabled LLMNR for the affected PCs and everything works. I cannot imagine that name resolution through the tunnel should take place using LLMNR if DNS fails. The requested addresses are not in the same subnet as the VPN address of the connected client. Every other client (Windows, iOS) that is not in the domain or does not have deactivated LLMNR works. It is exactly the behavior that was requested in the discussion above.

Regards,

Steffen Dutschke

Hi Vishal,

as Vivek Jagad acknowleded this to be a known problem in Sophos Connect (see LLMNR disabled - DNS resolution no longer works over VPN - Discussions - Sophos Firewall - Sophos Community ) and should have been addressed in Sophos Connect Client 2.3, i would have a simmiliar Question as Steffen: 

Was this improvement really part of Release 2.3 or was ist postponed to a future release?

I mean, i can't find anything about it in the release notes, wich would suggest it's not fixed.

If so, in which release will it be fixed according to the current timeline?

Kind regards

Matthias

Hi matthias.schmidt As far as I know, in terms of LLMNR no issues or BUG were noticed and that is the reason you are not seeing them in the release notes, If you observe any issue with DNS resolution with LLMNR disabled you may narrow down the issue with previous comment steps and if needed based on those observations you may log a support case to have a further investigation on it.

Regarding another thread that you mentioned in your last comment, the known issue discussed is not a bit clear, or no info on that part in that thread, so I am not sure.

LLMNR disabled - DNS resolution no longer works over VPN

MaybeVivek Jagadmay clarify that here for you!

Hi matthias.schmidt ,

I sincerely regret the inconvenienced caused, as I was refering to the:
NCL-1383 Resolved behavior where client DNS value is appended rather than replacing previous value 

REF - Sophos Connect 2.3 Update Released - Release Notes & News - Sophos Firewall - Sophos Community

To clarify that regarding LLMNR it is still pending to be addressed.