Prevent DNS Request Override

Hi,

if you are using the XG as a DHCP server you can set the DNS in the IP scope.

I am trying to understand what you are trying to achieve by using DNS filtering, you can achieve the same thing by building web and application policies and apply them to user groups.

Are you using an AD for your users authentication and to group them?

Please provide a network diagram to assist in developing answers for you.

Thank you

Ian

Hi and thanks for the response!

I'm trying to use CleanBrowsing.org as a second set of content filters since their thread intel feed seems to be a little more thorough than what the XG provides in Web Filtering.

For simplification, let's say I have two zones:  Zone A and Zone B.  Both are separate networks/VLAN interfaces. 

CleanBrowsing provides me with two sets of DNS Servers:  DNS Server A and DNS Server B.  They both have different filters applied at CleanBrowsing (DNS Sinkholing)

I have Zone A set to use DNS Server A and Zone B set to use DNS Server B via DHCP assignments.  The Sophos XG appliance is configured to use DNS Server A in the Network > DNS page.

Clients in Zone A receive responses from DNS Server A.  As Expected.

DNS queries in Zone B should result in an answer from DNS Server B (Clients are receiving DNS server assignment from DHCP correctly and FW rule in in place for DNS traffic), but they do not.  They result in responses from DNS Server A. 

If I change the DNS Server on the XG's settings (Network > DNS) from DNS Server A to DNS Server B, both zones receive DNS query responses from DNS Server B.

It appears that the setting on the XG in Network > DNS is intercepting/overriding what server the client is specifying in its queries.

Hi Ian, appreciate the response! 

I understand that VLANs are L3 and each one does have it's own interface, and thus, DHCP scope.  Use Device DNS Settings is not checked. Firewall rules are in place for DNS access to OpenDNS and CleanBrowsing on both networks. 

I have set my Zone A (Main network) to use my Domain Controllers for DNS (with forwarders to CleanBrowsing) in DHCP and Zone B (guest network) to use OpenDNS in DHCP.  

Zone A:

Zone B:

DNS Configuration in the XG is set to CleanBrowsing:

Clients in Zone A perform as expected.

Clients in Zone B are receiving DNS query results from CleanBrowsing instead of OpenDNS.  Here are screenshots of a client on Zone B with DNS settings pointing to OpenDNS per the assignment via DHCP, but not receiving queries from OpenDNS (OpenDNS provides a blocked page for internetbadguys.com when responding to queries).

But when I go to badexample.com, the test page for CleanBrowsing, I get their blocked page, which only happens if CleanBrowsing's DNS servers are responding:

This is what doesn't make sense.  The client indicates it is using OpenDNS, but it is using CleanBrowsing in actuality.

NOW - if I change the DNS Configuration in the XG to use OpenDNS:

The same client on Zone B (no changes to DHCP settings at all, network status on phone still shows OpenDNS is assigned via DHCP) is suddenly using OpenDNS for resolution:

internetbadguys.com shows the OpenDNS blocked page and badexample.com does NOT show the CleanBrowsing blocked page:

So this is the unexplained behavior.  The client is querying the DNS servers set in the XG DNS Configuration rather than those applied via DHCP.

Any thoughts? 

Hi James,

I think you are confusing yourself a little bit. The settings your are changing in the DNS are the settings the XG uses to resolve URL requests.

The settings in the DHCP server are what you tell your clients to use and you would need rules to allow the traffic out.

If you look at a configuration in the device what does it show as its DNS?

You would not point any of your devices at the XG for DNS functions.

Ian

Hi Ian,

That is exactly what I would expect to happen.  I expect the clients to use the servers applied via DHCP (and allowed via FW rule) to resolve DNS, but that isn't the case. 

My devices are not pointed at the XG, they are pointed directly at either my Domain Controllers (Zone A) or OpenDNS (Zone B).  As shown above, you can see the iPhone with OpenDNS set as the DNS server as applied via DHCP, but still being able to resolve the CleanBrowsing blocked page (unresolvable to the access denied page UNLESS you are resolving via CleanBrowsing) (CleanBrowsing is what was configured in for XG resolution). 

I only brought up the XG DNS config because changing setting changes what servers the client is using to resolve DNS queries. Even though the DNS servers listed in on the client as received by DHCP do not change. The client lists OpenDNS's servers, but is able to resolve CleanBrowsing-only domains (blocked page), which wouldn't happen if it was truly using OpenDNS as shown as applied via DHCP.

Maybe I'm not properly communicating the issue, but I don't think we're on the same page.

Thanks again for taking the time to respond,

James

Maybe, you are not understanding my responses because I haven't made myself 100% clear. If the XG is showing up as part of your DNS queries then something on your network is pointing at the XG.

If you look at the log viewer specifically looking for port 53 what devices do you see sending requests? Remember the XG will be sending its own requests for checks in the application and web rules as well as lookups for its own updates but not providing name resolution for clients unless as I said one or more is pointing at the XG DNS.

Ian

XG is not explicitly showing up as part of a query.  The behavior I appear to be seeing is as if the XG is intercepting any DNS query transparently and running it against the DNS server configured on the XG.  Not saying that's what's happening, but that's what it looks like to me. 

Nothing on the network is pointing to the XG for DNS.  The clients are either pointing to my Domain Controllers (Zone A) or directly at OpenDNS (Zone B). 

I see in the firewall log (once logging enabled) the client (zone B with OpenDNS configured as DNS via DHCP) is sending the query with OpenDNS as the destination IP, but the queries returned are still those of CleanBrowsing (the server specified in the XG DNS config).

Where are your DNS rules in your rules list, at the top?

You do raise an interesting point about the XG DNS which it must do otherwise it cannot perform lookups for the web and application policies. But the response should not be part of the user interaction,  just within the XG functions.

FloSupport or ManBearPig might be able to provide more insight to your issue.

Ian

I figured it out - I had a web policy applied to Zone B and when I set it to "None", I started to see the expected results (OpenDNS blocked page).  I suppose the transparent proxy is doing its own DNS lookup and then loading the page rather than relying on what the client is requesting.  Not incredibly intuitive, but technically that makes sense. 

Thanks for helping me think through this, much appreciated!

Do you perhaps have Web Pharming Protection turned on?  Web > General Settings >  Pharming Protection

Pharming Protection is used in transparent mode to ignore the client's destination and look up DNS on its own.  It is specifically used to mitigate attacks that poison the hosts files.  For web traffic that goes through the proxy only, it will force it to use the XG's DNS.

You can turn it off and then apply a web policy again (you should also turn on HTTP malware scanning which it sounds like you have off).

This was it.  Didn't even think about that option, but it makes sense.   Thanks! 

Any chance Pharming protection could be set per web filtering policy or something similar in the future?  

james3820 said:

Any chance Pharming protection could be set per web filtering policy or something similar in the future?  

james3820 said:

Any chance Pharming protection could be set per web filtering policy or something similar in the future?