This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Zones, or selective DNS responses based on source IP/Zone

Hey Guys!

This question is more of a "if possible" and "how"... Specific answers are always great, but so would any links to any How-To's, or other documentation explaining how to accomplish this.

So the Subject says it all in a nutshell, but it is possible I am not using the "proper" terms, so here are the details...

My UTM is set to forward and resolve DNS, and the details noted below work fine. My Internal Hosts can resolve DNS on both defined objects noted below, as well as external DNS in general (like google.com)

Let's say I have these internal hosts that resolve to IPs (based on DHCP Reservations and object definition):

Internal1 = 192.168.10.10

Internal2 = 192.168.10.11

And let's say I have these "external" hosts that resolve to IPs (again, based on the object definition):

External1 = 1.2.3.4

External2 = 5.6.7.8

In my current config, if I allow DNS resolution by external hosts, they can resolve those internal hosts, I do not want that.

I want *ALL* my internal hosts to be able to resolve DNS (as they can right now), but I only want to resolve the External hosts for DNS requests sourcing from outside my network.

Is this possible?

If so, how could I accomplish this?



This thread was automatically locked due to age.
Parents
  • I'm not following you, JD.

    "In my current config, if I allow DNS resolution by external hosts, they can resolve those internal hosts, I do not want that.

    "I want *ALL* my internal hosts to be able to resolve DNS (as they can right now), but I only want to resolve the External hosts for DNS requests sourcing from outside my network."

    Can you say that in a different way - maybe with an example or two?  Do you have an internal DNS server or are you using the UTM for that function?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey, thanks for the response, and sorry I took so long to get back to this; got all tied up with end-of-year work...

    Anyways... On to what I want to accomplish here... I agree that my first question may have been poorly worded.

     

    In the end, I want to be able to dictate which DNS clients get what kind of DNS responses on their requests.

    For example:

    Right now, if I go to the WebAdmin, and in the 'Network Services' -> 'DNS', I currently have only my internal hosts and networks defined here in the 'Allowed Networks'. Currently, this works just fine, and I don't want that behaviour to change.

    Now, I want to be able to respond to DNS requests from the outside world. If I add 'Any' to the 'Allowed Networks', I will respond to ALL DNS requests. I do NOT want this; in this setup, I am not only responding to all public DNS requests (like google.com), as well as my 'Internal' hosts that I have defined (ei; Host1 = 192.168.2.2).

    I would like to dictate that DNS requests from the outside world, will only get responses for specific entries. So for example, a DNS request for google.com will be ignored, along with a request for 'Host1' (as noted in the example above), but 'ExternalHost1' will be responded with whatever IP I define for that host.

    Is this possible with Sophos UTM 9?

  • Yes, but!

    You don't want to offer DNS to the world for even one little thing.  It's an open invitation to the Russian Mafia and the Chinese Military to attack you.  Your public DNS should be handled wholly by your public authoritative name servers.  Internally, configure as in DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I understand the caveats of offering DNS responses to the public. This has been taken into consideration. It is partially for this reason that I ask about selectively responding to DNS requests; there are indeed some DNS Requests that I *DO* want to respond to the public for, just very few.

    As for the internal configs and best practices, this has been read, understood and followed, thanks for the reminder.

    So, you tell me that I can indeed selectively respond to DNS. How would I accomplish this?

Reply
  • I understand the caveats of offering DNS responses to the public. This has been taken into consideration. It is partially for this reason that I ask about selectively responding to DNS requests; there are indeed some DNS Requests that I *DO* want to respond to the public for, just very few.

    As for the internal configs and best practices, this has been read, understood and followed, thanks for the reminder.

    So, you tell me that I can indeed selectively respond to DNS. How would I accomplish this?

Children
  • In thinking through the details, JD, I don't believe it is possible to have different answers for inside and outside queries without a dramatic re-tooling of your entire DNS setup - certainly more effort than I have free time to think through without billing someone. [;)]  Good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • What, no pro-bono work!? [;)] Then again... You probably do enough of that in these forums as-is.

    While I appreciate the "offer" to do it for me, I honestly would like to figure it out on my own, rather than having it spoon-fed to me (feed a man a fish vs. teach a man fish... I would rather learn). Problem is, I don't know where to even start to begin with... Is there any kind of terminology, or guide, or how-to, or any kind of info you could point me towards on this?

  • Google bind dns split horizon and read the first article. The third method, reconfiguring bind at the command line in the UTM, is the body of the article.

    I would prefer the second method the author mentions - this would involve violating DNS best practice and using just the "Internet" object in DNS 'Allowed Networks'.  That means no Standard mode Web Filtering, all internal DNS requests handled by your internal DNS or public name servers, bypassing the DNS capabilities of the UTM, etc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA