Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 6552 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Eliminating DNS leaks for multi-WAN

John Ververis

Hi all

Wondering if theres a way to isolate DNS for individual WAN interfaces? I expect this will require some real trickery to get right, hopefully some has pulled it off;

1st Prize is to have DNS lookups for each WAN interface redirected to a specific DNS server

Failing that a way to limit DNS lookups on a single interface to only one allowed DNS server;

 

Effectively I have three WAN interfaces, one of them directs traffic through a VPN service, which is working fine;

I have set up some network groups so any devices in my 'Systems using VPN' group break out via the VPN tunnel, the issue is that DNS lookups from those devices are still using the UTM DNS servers, I would like to force those to use a specific DNS server only;

 

Any ideas?



This thread was automatically locked due to age.
  • 0

    You need multiple configuration changes; for the "Systems using VPN" group to use a specific DNS server, easiest solution might be to make a DNAT rule: Traffic from "Systems using VPN" going to "Internet" (or maybe even any) using service "DNS" DNAT to ==> Desired DNS server.

    Your first question to have specific DNS servers reachable over specific WAN connections, you can configure "Interfaces and routing => Interfaces => Multipath rules". There you can configure that traffic going to a specific DNS server should use a specific WAN interface.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0

    Hi John and welcome to the UTM Community!

    I have to admit that your description leaves me a bit confused.  What do you mean by "DNS lookups for each WAN interface?"

    Is apijnappels suggestion to do something like 'DNAT : Systems using VPN -> DNS -> Internal (Address) : to {specific DNS server}' sufficient for your purposes?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Can we assume that each WAN interface is associated with a known set of IP addresses?

    If so, then you should be able to create a series of firewall rules:

    1. <source object 1> to <allowed DNS server> port 53 ALLOW
    2. <source object 1> to <any> port 53 DENY
    3. <source object 2> to <allowed DNS server> port 53 ALLOW
    4. <source object 2> to <any> port 53 DENY
    5. <source object 3> to <allowed DNS server> port 53 ALLOW
    6. <source object 3> to <any> port 53 DENY

    Note however, that Standard Mode web proxy complicates the question, because Standard Mode DNS lookups are perfomed by UTM, not by the client, so there is no way to segment traffic.

    Also note that every Transparent Mode Profile that your create also enables Standard Mode, using the same configuration settings.

  • 0 in reply to DouglasFoster

    Glad to see I am at least on the right track with some solutions, Douglas I had this in place already but it made no visible difference and I am still getting DNS leaks reported over the VPN;

    I am looking at potentially a combination of all of the proposed solutions here, incidentally I had also implemented the Multipath rules as recommended by apijnappels, but the recommendation of using DNAT may be the missing key to intercept and redirect the DNS requests to the allowed DNS Server...

  • 0 in reply to apijnappels

    Hi apijnappels, although I had already tried the multipath rules with no luck (DNS leak still reported), I have not yet looked at the DNAT rules, I think you may be on to something here and this might (if done correctly) allow me to intercept and redirect DNS requests to the correct DNS Server...

     

    As per feedback to Douglas, the combination of the FW rules, Multipath and DNAT might cover it, I will give it a go and see how it responds

  • 0 in reply to BAlfson

    Apologies BAlfson, I might have clicked Reject by mistake for your question, sticky mouse button...

     

    I can best explain what I would like to accomplish as follows:

    WAN 1   Direct breakout     Unique Gateway (.251)

    WAN 2   Direct breakout     Unique Gateway (.254)

    WAN 3   OpenVPN Tunnel   VPN Service Gateway

     

    So basically WAN 1 and 2 are not the issue, they can use any of the DNS servers if necessary (to accommodate failover etc)

    WAN 3 is the actual issue, and any devices on the LAN using WAN 3 need to only use specific DNS servers and not the ones used for WAN 1 and 2

     

    By moving the devices between the three groups I have defined (each group representing a WAN interface, eg 'Devices using WAN 1', 'Devices using WAN 2', 'Devices using VPN\WAN3', I can immediately redirect the device's breakout

Unfiltered HTML