Transparent dnat

Hi all and Happy New year!

Has the transparent dnat function been implemented on 17.5 release? This is actually the only feature which is preventing me to make the big jump from old SG platform.

To be clear, what I need is redirect all the outgoing DNS traffic to a specific host.

Tried to googleing around, but all the info I've found are related to 17.0, so wonder if the latest version made the trick.

Thanks in advance everyone

Parents

0 LuCar Toni over 5 years ago

It is not in V17.5.

We talked about this here:

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/109366/force-dns-requests-to-an-internal-server/392878#392878

I am still struggling with the reason for doing this. Would suggest to simply block everything and "force" to use XG / internal DNS. This is my all time approach to resolve this.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 infinityz over 5 years ago in reply to LuCar Toni

Thanks for your reply Lucar, will keep an eye on that thread.

The reason behind this configuration is actually pretty simple! There are a numbers of IoT devices which just ignore the dns pulled from dhcp and keep using Google dns rather.

Block outgoing DNS requests would not solve the issue but just make these devices unusable.

Transparent dnat is the only way to force the use of the internal dns.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 LuCar Toni over 5 years ago in reply to infinityz

Can you name such devices? This seems to be highly un-compliant to do such a behavior. And such devices would be rather in your isolated network instead of your company network.

Most of the time, in guest networks, i allow to perform such actions.

But if such IoT Devices are performing such stuff, i would not like to have them in the same broadcast domain. It is like some kind of "old" printer. Easy way to use them as a jumphost as a hacker. Check out the current 35C3 in Germany.

Just my 2 Cents about this topic. It does not resolve your issue / limitation.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Reply

+1 LuCar Toni over 5 years ago in reply to infinityz

Can you name such devices? This seems to be highly un-compliant to do such a behavior. And such devices would be rather in your isolated network instead of your company network.

Most of the time, in guest networks, i allow to perform such actions.

But if such IoT Devices are performing such stuff, i would not like to have them in the same broadcast domain. It is like some kind of "old" printer. Easy way to use them as a jumphost as a hacker. Check out the current 35C3 in Germany.

Just my 2 Cents about this topic. It does not resolve your issue / limitation.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Children

0 Emile Belcourt over 5 years ago in reply to LuCar Toni

Virgin Media TV Boxes (v5 in my case) ignore DNS for some of their implemented software and try to utilise Virgins DNS which if unavailable will cause some software to fail. Google Chromecasts prioritise Google but should also use local (at least in early versions). Some brands of home automated lighting uses fixed DNS as well.

Those are a few I'm aware of.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel