My wife has been working from home since the start of the pandemic, and has a work-provided desktop PC, using home wireless. It has a config issue with the VPN client, as a result of which I can see all of the DNS traffic intended for their infrastructure on my UTM (DNS hijack, anyone?).
Amongst other things, they have incorrectly configured two DNS servers (192.168.100.1 and 200.1) on the physical (wifi) interface to my home network, when they should have configured them only on their virtual interface. The tunnel is split, and they are using the LAN interface as the default route. As such, I can see all of their DNS traffic on my LAN, destined for (initially) their two DNS servers, then my own DNS. The timeouts for the first two servers introduce delays, then my DNS gives an NXDOMAIN, and they then go to their VPN connection.
I have eliminated the delay by creating a rule to reject the traffic going to their DNS servers via my LAN, and that seems to be working.
It did occur to me that the UTM is actually routing the DNS lookups (to 192.168.100.1) to my ISP, as per the route table, and they are dropping them (well, they're not rejecting them, and they don't get a response). Is there a setting I can use to stop all RFC1918-addressed packets being sent out of my internet interface? The ISP is going to drop them, but I'd rather reject them myself.
I did (briefly) consider just rejecting all traffic destined for a 1918 address, but as I use it extensively across multiple interfaces on my UTM, that won't work. I guess I could add a 'reject' rule (source any internal network, destination any RFC1918 network) at the bottom of my rule list would work, as anything I want to permit has already been allowed, but I can't help thinking I'm missing a best practice somewhere.
Here's another question - where does it say that ISPs should not route packets to RFC1918 networks? it doesn't appear to be in RFC1918.
TIA
Dave
This thread was automatically locked due to age.
