Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 2541 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN external and internal DNS requests

Stefan Duering

Hello,

I haven't understood the DNS settings yet.

What I want to achieve:

  • VPN clients should ask company DNS servers for all names host.company.com.
  • VPN clients should ask their "local" DNS server for all other names.

My problem is:
When I connect to VPN in Windows 10 it seems that every DNS request is sent to company DNS-Servers.


In UTM I configured following:

1) Network Services => DNS => Global
   Allowed Networks => <Company IP-Range for VPN clients> (XX.YY.1.0/24)

2) Network Services => DNS => Forwarders
   <dns1.company.com>
   <dns2.company.com>
 
3) Network Services => DNS => Request Routing
   Domain = company.com
   Target Servers = <dns1.company.com>, <dns2.company.com>

4) Remote Access => Advanced
   DNS server #1 = <dns1.company.com>
   DNS server #2 = <dns2.company.com>
   Domain = company.com



The client output of ipconfig /all is (I shortened it.):

Ethernet-Adapter Ethernet 2:

   Connection-specific DNS-Suffix    : company.com
   Description . . . . . . . . . . . : Sophos SSL VPN Adapter
   ...
   IPv4-Adress   . . . . . . . . . . : XX.YY.1.21(Preferred)
   Subnet mask   . . . . . . . . . . : 255.255.255.0
   DNS-Servers . . . . . . . . . . . : <dns1.company.com>
                                       <dns2.company.com>
   Primary WINS-Server. .  . . . . . : <wins1.company.com>
   Secondary WINS-Server. . .  . . . : <wins2.company.com>
   ...

Ethernet-Adapter Ethernet:

   Connection-specific DNS-Suffix    : fritz.box
   Description. . . . .  . . . . . . : Realtek PCIe GBE Family Controller
   ...
   IPv4-Adress   . . . . . . . . . . : 192.168.99.102(Preferred)
   Subnet mask   . . . . . . . . . . : 255.255.255.0
   ...
   Default Gateway . . . . . . . . . : 192.168.99.1
   DHCP-Server . . . . . . . . . . . : 192.168.99.1
   DHCPv6-IAID . . . . . . . . . . . : 153888727
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-25-DA-1A-A3-2C-27-D7-3F-EF-7B
   DNS-Server  . . . . . . . . . . . : 192.168.99.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert


What am I missing?


Thanks
Stefan



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out to the Community! 

    Did you configure SSL Remote VPN in a full or split tunnel? 

    Thanks,

  • 0

    Hallo Stefan and welcome to the UTM Community!

    Not sure how you have DNS setup overall.  DNS best practice is a compilation of ideas from some of the smartest participants here over the years.  I would configure like that, make the UTM the first Remote Access DNS Server, a public name server (like 8.8.4.4) the second one, and create a Request Route in 'Network Services >> DNS' for your domain.  That won't get their name server requests to their "local" DNS server, but it will successfully get only the desired requests to your company DNS servers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to FormerMember

    Hi Harsh Patel,

    yes, we configured a split tunnel. Only traffic (and DNS request) for our company should go through the tunnel.

  • 0 in reply to BAlfson

    Hello Bob,

    thanks. I read DNS best practise already and made the setting that I wrote in my first post.

    I can see a different behaviour in Windows and Linux.

    In Windows every DNS request goes to our company DNS server regardless of the domain.

    In Linux it seems that every request goes to public servers.

    In particular, the Request Routing setting seems to be treated differently by Windows and Linux.

  • 0 in reply to Stefan Duering

    I wonder if this is something because of where a client gets the IP address from, whether it is Windows or the UTM because of the information assigned by DHCP.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Unfiltered HTML