This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN external and internal DNS requests

Hello,

I haven't understood the DNS settings yet.

What I want to achieve:

  • VPN clients should ask company DNS servers for all names host.company.com.
  • VPN clients should ask their "local" DNS server for all other names.

My problem is:
When I connect to VPN in Windows 10 it seems that every DNS request is sent to company DNS-Servers.


In UTM I configured following:

1) Network Services => DNS => Global
   Allowed Networks => <Company IP-Range for VPN clients> (XX.YY.1.0/24)

2) Network Services => DNS => Forwarders
   <dns1.company.com>
   <dns2.company.com>
 
3) Network Services => DNS => Request Routing
   Domain = company.com
   Target Servers = <dns1.company.com>, <dns2.company.com>

4) Remote Access => Advanced
   DNS server #1 = <dns1.company.com>
   DNS server #2 = <dns2.company.com>
   Domain = company.com



The client output of ipconfig /all is (I shortened it.):

Ethernet-Adapter Ethernet 2:

   Connection-specific DNS-Suffix    : company.com
   Description . . . . . . . . . . . : Sophos SSL VPN Adapter
   ...
   IPv4-Adress   . . . . . . . . . . : XX.YY.1.21(Preferred)
   Subnet mask   . . . . . . . . . . : 255.255.255.0
   DNS-Servers . . . . . . . . . . . : <dns1.company.com>
                                       <dns2.company.com>
   Primary WINS-Server. .  . . . . . : <wins1.company.com>
   Secondary WINS-Server. . .  . . . : <wins2.company.com>
   ...

Ethernet-Adapter Ethernet:

   Connection-specific DNS-Suffix    : fritz.box
   Description. . . . .  . . . . . . : Realtek PCIe GBE Family Controller
   ...
   IPv4-Adress   . . . . . . . . . . : 192.168.99.102(Preferred)
   Subnet mask   . . . . . . . . . . : 255.255.255.0
   ...
   Default Gateway . . . . . . . . . : 192.168.99.1
   DHCP-Server . . . . . . . . . . . : 192.168.99.1
   DHCPv6-IAID . . . . . . . . . . . : 153888727
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-25-DA-1A-A3-2C-27-D7-3F-EF-7B
   DNS-Server  . . . . . . . . . . . : 192.168.99.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert
   


What am I missing?


Thanks
Stefan



This thread was automatically locked due to age.
Parents
  • Hallo Stefan and welcome to the UTM Community!

    Not sure how you have DNS setup overall.  DNS best practice is a compilation of ideas from some of the smartest participants here over the years.  I would configure like that, make the UTM the first Remote Access DNS Server, a public name server (like 8.8.4.4) the second one, and create a Request Route in 'Network Services >> DNS' for your domain.  That won't get their name server requests to their "local" DNS server, but it will successfully get only the desired requests to your company DNS servers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    thanks. I read DNS best practise already and made the setting that I wrote in my first post.

    I can see a different behaviour in Windows and Linux.

    In Windows every DNS request goes to our company DNS server regardless of the domain.

    In Linux it seems that every request goes to public servers.

    In particular, the Request Routing setting seems to be treated differently by Windows and Linux.

Reply
  • Hello Bob,

    thanks. I read DNS best practise already and made the setting that I wrote in my first post.

    I can see a different behaviour in Windows and Linux.

    In Windows every DNS request goes to our company DNS server regardless of the domain.

    In Linux it seems that every request goes to public servers.

    In particular, the Request Routing setting seems to be treated differently by Windows and Linux.

Children
  • I wonder if this is something because of where a client gets the IP address from, whether it is Windows or the UTM because of the information assigned by DHCP.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)