Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 22194 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS traffic from SSL VPN clients allowed any DNS server

Mokaz

 Hi all,

While testing some stuff on travel, I've discovered that my SSL VPN connected client can make DNS requests to ANY dns server (home ISP router, Google public DNS etc).
That's a little weird to me because my Network Protection --> Firewall --> Rules are completely exempt of DNS based rules, i rely on my UTM DNS server which forwards requests to my Home ISP router.

I've been under the impression that with no matching rules, traffic should be denied. Am i wrong here?

Also, i've verified from a Home LAN based host via RDP, the LAN hosts have no DNS access to any other DNS server than my UTM dns server. any other attempts at UDP 53 is dropped. The live logs show Default DROP hit for such traffic, although via the SSL VPN it passes through..

Any ideas are welcome.

Cheers,
m.



This thread was automatically locked due to age.
Parents
  • 0

    What does your vpn profile specify fot local networks?   It sounds like you have a split tunnel, and the unwantrd traffic is bypaasing the tunnel completely.

    I also recommend assuming nothing sbout default rules.  See my architecture document in the Wiki.

Reply
  • 0

    What does your vpn profile specify fot local networks?   It sounds like you have a split tunnel, and the unwantrd traffic is bypaasing the tunnel completely.

    I also recommend assuming nothing sbout default rules.  See my architecture document in the Wiki.

Children
  • 0 in reply to DouglasFoster

    Hi there,

    So i've sorted myself out. And to reply to your question, full tunnel configuration, no split tunnel and full DNS leak avoidance (local ISP DNS replaced with bogus information, only DNS available = UTM).

    It turns out the the UTM SSLVPN setup propose you per default to set the firewall rules automatically, allowing SSLVPN user/groups to any / any as rule number 1 on the FW. So of course, not any other rules were processed as all the SSLVPN clients traffic hit that rule 1st so no more rules processing.

    So i've simply reconfigured the SSLVPN server without the automatic rules and all the SSLVPN clients traffic is now fully regulated by my inserted rules. Also, if no match = default drop, so my assumptions were correct.

    Thanks,
    Regards,
    m. 

  • 0 in reply to Mokaz

    HI,

    I have a site 2 site SSL full tunnel.

    Site is connected is working

    Let say from site B when go to whatsmyip i get the ip from site A and this is a good thing.

    But when do a DNSLEAK test i still got DNS from site B, this is not good.

    When do a dnsleak test form site a i got the correct dns isp.

     

    How to fix this.

    There a services i want to reach from site B over the ip and dns from site A.

     

    I need help plz

     

    gritz

  • 0 in reply to xianx x

    Please compare your configuration to DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes,

     

    check pic

     

    Need some help here.... thnks

  • 0 in reply to xianx x

    Are you using Standard mode web proxy?   If so, the proxy address is used for the connection to Google for asking "what is my ip?".   This action will be independent of any other traffic routing, including DNS lookups.

  • 0 in reply to DouglasFoster

    No, using transparent mode here..

     

  • 0 in reply to xianx x

    Why is "USB External NIC" in either of those pictures?

    Is all the rest of your configuration as detailed in the DNS Best Practice post linked to above?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes i think it is.

    The external nic is used voor a second LAN.

     

    The UTM is hosted is hyper-v for the internal vm's as physical computers (USB External NIC)

  • 0 in reply to xianx x

    What are you doing to prevent the outside world from using/attacking your DNS and HTTP Proxy?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I gonna ask the question diferentley

     

    As expample the the details of a public wifi i'm connected to:

    IP WAN:               12.123.12.13
    ISP DNS:              214.23.45.220
                               214.23.45.240
    IP My Laptop:       192.168.0.10
    SUBnet Mask:       255.255.255.0
    Defaultl Gateway: 192.168.0.1
    DHCP Server:       192.168.0.1
    DNS Server:         192.168.0.1

     

    Now when go to whatismyip.com or some dnsleak.com site and i run a test i get the details list above and this is correct.

    So now i turn on my full tunnel ssl vpn to home and i suppost the get the details from home.

    So when going to somthing like netflix i still can get to my contents because the DNS of the public ip is used en not the DNS from home

    When double check this by going to whatever DNS LEAK TEST SITE it will be confirm that i using the public wifi DNS names.

     

    When connected with the full ssl vpn i want all traffic to go out from my home ISP.. so ip and dns from home

Unfiltered HTML