Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 23093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS traffic from SSL VPN clients allowed any DNS server

Mokaz

 Hi all,

While testing some stuff on travel, I've discovered that my SSL VPN connected client can make DNS requests to ANY dns server (home ISP router, Google public DNS etc).
That's a little weird to me because my Network Protection --> Firewall --> Rules are completely exempt of DNS based rules, i rely on my UTM DNS server which forwards requests to my Home ISP router.

I've been under the impression that with no matching rules, traffic should be denied. Am i wrong here?

Also, i've verified from a Home LAN based host via RDP, the LAN hosts have no DNS access to any other DNS server than my UTM dns server. any other attempts at UDP 53 is dropped. The live logs show Default DROP hit for such traffic, although via the SSL VPN it passes through..

Any ideas are welcome.

Cheers,
m.



This thread was automatically locked due to age.
  • 0 in reply to xianx x

    So, let me say this in my words and you can tell me if I've understood correctly:

    When you connect via VPN to your home UTM, you want your client to get DNS from your home UTM, not from the LAN you're in.

    In that case, this will be very difficult to configure for a site-to-site and would require manual intervention to make the changes for your client.

    The only practical approach is Remote Access.  In your home UTM, configure an SSL VPN Profile with your username in 'Users and Groups', your LAN and "Internet" in 'Local Networks' and with 'Automatic firewall rules' selected.  In DNS, add the "username (User Network)" object to 'Allowed Networks'.  I would also do the same in Web Filtering.

    Of course, you will also need a masq rule like 'VPN Pool (SSL) -> External'.

    Note that both before you connect and after you disconnect, you will want to do an ipconfig /flushdns on your client PC.

    Any better luck with all of that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I gonna ask the question diferentley

     

    As expample the the details of a public wifi i'm connected to:

    IP WAN:               12.123.12.13
    ISP DNS:              214.23.45.220
                               214.23.45.240
    IP My Laptop:       192.168.0.10
    SUBnet Mask:       255.255.255.0
    Defaultl Gateway: 192.168.0.1
    DHCP Server:       192.168.0.1
    DNS Server:         192.168.0.1

     

    Now when go to whatismyip.com or some dnsleak.com site and i run a test i get the details list above and this is correct.

    So now i turn on my full tunnel ssl vpn to home and i suppost the get the details from home.

    So when going to somthing like netflix i still can get to my contents because the DNS of the public ip is used en not the DNS from home

    When double check this by going to whatever DNS LEAK TEST SITE it will be confirm that i using the public wifi DNS names.

     

    When connected with the full ssl vpn i want all traffic to go out from my home ISP.. so ip and dns from home

  • 0 in reply to xianx x

    What are you doing to prevent the outside world from using/attacking your DNS and HTTP Proxy?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes i think it is.

    The external nic is used voor a second LAN.

     

    The UTM is hosted is hyper-v for the internal vm's as physical computers (USB External NIC)

  • 0 in reply to xianx x

    Why is "USB External NIC" in either of those pictures?

    Is all the rest of your configuration as detailed in the DNS Best Practice post linked to above?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to DouglasFoster

    No, using transparent mode here..

     

  • 0 in reply to xianx x

    Are you using Standard mode web proxy?   If so, the proxy address is used for the connection to Google for asking "what is my ip?".   This action will be independent of any other traffic routing, including DNS lookups.

  • 0 in reply to BAlfson

    Yes,

     

    check pic

     

    Need some help here.... thnks

  • 0 in reply to xianx x

    Please compare your configuration to DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Mokaz

    HI,

    I have a site 2 site SSL full tunnel.

    Site is connected is working

    Let say from site B when go to whatsmyip i get the ip from site A and this is a good thing.

    But when do a DNSLEAK test i still got DNS from site B, this is not good.

    When do a dnsleak test form site a i got the correct dns isp.

     

    How to fix this.

    There a services i want to reach from site B over the ip and dns from site A.

     

    I need help plz

     

    gritz

Unfiltered HTML