Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 6576 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Eliminating DNS leaks for multi-WAN

John Ververis

Hi all

Wondering if theres a way to isolate DNS for individual WAN interfaces? I expect this will require some real trickery to get right, hopefully some has pulled it off;

1st Prize is to have DNS lookups for each WAN interface redirected to a specific DNS server

Failing that a way to limit DNS lookups on a single interface to only one allowed DNS server;

 

Effectively I have three WAN interfaces, one of them directs traffic through a VPN service, which is working fine;

I have set up some network groups so any devices in my 'Systems using VPN' group break out via the VPN tunnel, the issue is that DNS lookups from those devices are still using the UTM DNS servers, I would like to force those to use a specific DNS server only;

 

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Can we assume that each WAN interface is associated with a known set of IP addresses?

    If so, then you should be able to create a series of firewall rules:

    1. <source object 1> to <allowed DNS server> port 53 ALLOW
    2. <source object 1> to <any> port 53 DENY
    3. <source object 2> to <allowed DNS server> port 53 ALLOW
    4. <source object 2> to <any> port 53 DENY
    5. <source object 3> to <allowed DNS server> port 53 ALLOW
    6. <source object 3> to <any> port 53 DENY

    Note however, that Standard Mode web proxy complicates the question, because Standard Mode DNS lookups are perfomed by UTM, not by the client, so there is no way to segment traffic.

    Also note that every Transparent Mode Profile that your create also enables Standard Mode, using the same configuration settings.

  • 0 in reply to DouglasFoster

    Glad to see I am at least on the right track with some solutions, Douglas I had this in place already but it made no visible difference and I am still getting DNS leaks reported over the VPN;

    I am looking at potentially a combination of all of the proposed solutions here, incidentally I had also implemented the Multipath rules as recommended by apijnappels, but the recommendation of using DNAT may be the missing key to intercept and redirect the DNS requests to the allowed DNS Server...

Reply
  • 0 in reply to DouglasFoster

    Glad to see I am at least on the right track with some solutions, Douglas I had this in place already but it made no visible difference and I am still getting DNS leaks reported over the VPN;

    I am looking at potentially a combination of all of the proposed solutions here, incidentally I had also implemented the Multipath rules as recommended by apijnappels, but the recommendation of using DNAT may be the missing key to intercept and redirect the DNS requests to the allowed DNS Server...

Children
No Data
Unfiltered HTML