Hello community,
the issue was mentioned in several community posts in the past:
LLMNR disabled - DNS resolution no longer works over VPN
DNS resolution over VPN issue when LLMNR is disabled - Sophos Conect 2.3
(We use Sophos Connect Client 2.3 / 2.4 and SFOS 21.5.0 GA-Build171 / no IPv6 at company network in use but still enabled on the windows devices by default)
On Monday this week we disabled LLMNR for endpoint devices in our ms domain for security reasons.
After this, notebooks with updated GPO settings which are used at home office locations werent able to connect to internal resources addressing dns names anymore. VPN is successfully connected and trying to connect with ip addresses is working.
We tried to figure out the cause of the issue and it seems like every endpoint in a home office location, which gets an ipv6 address and ipv6 dns servers from the ISP router has the dns resolution errors. Interesting thing is, that e.g. "ping resource.domain.local" gets you a "could not resolve name" error message. If you try this in nslookup, windows uses the pushed dns servers connect client gets over ipsec from sophos firewall and gives you the correct ip.
It seems like Windows is now trying to use IPv6 DNS Servers to resolve internal resources behind the ipsec vpn tunnel to company network.
On the affected devices we disabled ipv6 on the network interface, rebooted device and things work again so far.
I am not able to understand, why DNS resolution worked in the past, in this configuration and stops working, when LLMNR was disabled. Has it even never worked properly and used LLMNR as fallback? Maybe someone could explain this behaviour to me and clarify if this is expected behaviour by Sophos Connect Client or Windows or something else.
I look forward to your feedback!
Greetings!
EDIT:
I have opened a ticket for this ... Case Number 02597174.
