Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

DNS resolution over VPN issue when LLMNR is disabled - Sophos Conect 2.3

I have the same problem as described in the following post:

 RE: LLMNR disabled - DNS resolution no longer works over VPN 

I have now updated to 20v1 MR1 and installed the current Connect Client. Unfortunately, the error is still not fixed with Sophos Connect 2.3. So I have to leave the insecure LLMNR protocol activated on all clients if they want to connect via VPN.



Edited TAGs
[edited by: Raphael Alganes at 3:57 PM (GMT -7) on 10 Jun 2024]
Parents
  • Hi  Thank you for reaching out to the Sophos community team. Below are my inputs and suggestions around this:

    LLMNR is used as a fallback mechanism when traditional DNS resolution fails. If a device cannot resolve a hostname through DNS, it may use LLMNR to try and resolve the name locally within the same subnet.

    Based on that I am assuming the DNS resolution that is failing for you is maybe you are referring to internal or local domain traffic! Please correct me if this is not the correct understanding on this or please elaborate DNS is failing for which domains, like internal or external or both of them?

    If this is getting observed with a Windows OS machine then it uses InterfaceMetric value to forward traffic if multiple interfaces are available with DNS settings configured!

    So it is worth checking below and confirming the status to narrow down the situation:

    1)Please keep LLMNR enabled and do not connect Sophos connect on the end machine.

    With this setup, Browse the domain that is failing when you are connected via Sophos connect VPN and capture the Wireshark on interface handling traffic to see/confirm if is it getting resolved via DNS/LLMNR.

    2)Please keep LLMNR disabled and connect Sophos connect on the end machine.

    With this setup, Browse the domain that is failing when you are connected via Sophos connect VPN and capture the Wireshark on the available LAN/WiFi, tunnel adapter to see/confirm whether is it getting resolved via DNS/LLMNR and via which Interface!

    Note: Due to InterfaceMetric value if internal domain queries are getting forwarded to the DNS server of the Tunnel TAP adapter then they are not able to resolve anything in your domain, and instead it will fall back on LLMNR to resolve internal hosts.

    Based on the above comparison if your investigation and findings confirm that it is Sophos Connect that is breaking it then I would suggest an Open Support case to confirm and validate more on this OR If your findings confirm any different results and conclude the issue at your end, please feel free to share those latest finding with us here for community user reference. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Hi Vishal,

    as Vivek Jagad acknowleded this to be a known problem in Sophos Connect (see LLMNR disabled - DNS resolution no longer works over VPN - Discussions - Sophos Firewall - Sophos Community ) and should have been addressed in Sophos Connect Client 2.3, i would have a simmiliar Question as Steffen: 

    Was this improvement really part of Release 2.3 or was ist postponed to a future release?

    I mean, i can't find anything about it in the release notes, wich would suggest it's not fixed.

    If so, in which release will it be fixed according to the current timeline?

    Kind regards

    Matthias

Reply Children