Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 6552 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Eliminating DNS leaks for multi-WAN

John Ververis

Hi all

Wondering if theres a way to isolate DNS for individual WAN interfaces? I expect this will require some real trickery to get right, hopefully some has pulled it off;

1st Prize is to have DNS lookups for each WAN interface redirected to a specific DNS server

Failing that a way to limit DNS lookups on a single interface to only one allowed DNS server;

 

Effectively I have three WAN interfaces, one of them directs traffic through a VPN service, which is working fine;

I have set up some network groups so any devices in my 'Systems using VPN' group break out via the VPN tunnel, the issue is that DNS lookups from those devices are still using the UTM DNS servers, I would like to force those to use a specific DNS server only;

 

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    You need multiple configuration changes; for the "Systems using VPN" group to use a specific DNS server, easiest solution might be to make a DNAT rule: Traffic from "Systems using VPN" going to "Internet" (or maybe even any) using service "DNS" DNAT to ==> Desired DNS server.

    Your first question to have specific DNS servers reachable over specific WAN connections, you can configure "Interfaces and routing => Interfaces => Multipath rules". There you can configure that traffic going to a specific DNS server should use a specific WAN interface.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0

    You need multiple configuration changes; for the "Systems using VPN" group to use a specific DNS server, easiest solution might be to make a DNAT rule: Traffic from "Systems using VPN" going to "Internet" (or maybe even any) using service "DNS" DNAT to ==> Desired DNS server.

    Your first question to have specific DNS servers reachable over specific WAN connections, you can configure "Interfaces and routing => Interfaces => Multipath rules". There you can configure that traffic going to a specific DNS server should use a specific WAN interface.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • 0 in reply to apijnappels

    Hi apijnappels, although I had already tried the multipath rules with no luck (DNS leak still reported), I have not yet looked at the DNAT rules, I think you may be on to something here and this might (if done correctly) allow me to intercept and redirect DNS requests to the correct DNS Server...

     

    As per feedback to Douglas, the combination of the FW rules, Multipath and DNAT might cover it, I will give it a go and see how it responds

Unfiltered HTML