Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 6574 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Eliminating DNS leaks for multi-WAN

John Ververis

Hi all

Wondering if theres a way to isolate DNS for individual WAN interfaces? I expect this will require some real trickery to get right, hopefully some has pulled it off;

1st Prize is to have DNS lookups for each WAN interface redirected to a specific DNS server

Failing that a way to limit DNS lookups on a single interface to only one allowed DNS server;

 

Effectively I have three WAN interfaces, one of them directs traffic through a VPN service, which is working fine;

I have set up some network groups so any devices in my 'Systems using VPN' group break out via the VPN tunnel, the issue is that DNS lookups from those devices are still using the UTM DNS servers, I would like to force those to use a specific DNS server only;

 

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hi John and welcome to the UTM Community!

    I have to admit that your description leaves me a bit confused.  What do you mean by "DNS lookups for each WAN interface?"

    Is apijnappels suggestion to do something like 'DNAT : Systems using VPN -> DNS -> Internal (Address) : to {specific DNS server}' sufficient for your purposes?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Apologies BAlfson, I might have clicked Reject by mistake for your question, sticky mouse button...

     

    I can best explain what I would like to accomplish as follows:

    WAN 1   Direct breakout     Unique Gateway (.251)

    WAN 2   Direct breakout     Unique Gateway (.254)

    WAN 3   OpenVPN Tunnel   VPN Service Gateway

     

    So basically WAN 1 and 2 are not the issue, they can use any of the DNS servers if necessary (to accommodate failover etc)

    WAN 3 is the actual issue, and any devices on the LAN using WAN 3 need to only use specific DNS servers and not the ones used for WAN 1 and 2

     

    By moving the devices between the three groups I have defined (each group representing a WAN interface, eg 'Devices using WAN 1', 'Devices using WAN 2', 'Devices using VPN\WAN3', I can immediately redirect the device's breakout

Reply
  • 0 in reply to BAlfson

    Apologies BAlfson, I might have clicked Reject by mistake for your question, sticky mouse button...

     

    I can best explain what I would like to accomplish as follows:

    WAN 1   Direct breakout     Unique Gateway (.251)

    WAN 2   Direct breakout     Unique Gateway (.254)

    WAN 3   OpenVPN Tunnel   VPN Service Gateway

     

    So basically WAN 1 and 2 are not the issue, they can use any of the DNS servers if necessary (to accommodate failover etc)

    WAN 3 is the actual issue, and any devices on the LAN using WAN 3 need to only use specific DNS servers and not the ones used for WAN 1 and 2

     

    By moving the devices between the three groups I have defined (each group representing a WAN interface, eg 'Devices using WAN 1', 'Devices using WAN 2', 'Devices using VPN\WAN3', I can immediately redirect the device's breakout

Children
No Data
Unfiltered HTML