How to do transparent DNAT of DNS queries?

Hello,

Unfortunately, this cannot be done at present on the XG.  You can find a feature request here:

ideas.sophos.com/.../32116999-user-dnat-rules

Unbelievable. 

In this case, can someone help me create a workaround? 

Currently the XG has the following settings: Administration => Device Settings =>All zones except WAN have DNS checked. 

I think this means that clients from every zone except WAN is allowed to use the XG as their DNS server, right? 

I think I could create a workaround with 2 rules: 

a) allow DNS traffic from the XG to ANY

b) block DNS traffic from ANY to ANY

Since the rules are being applied in order this should stop anyone changing their own DNS settings so rather than transparently making them use the DNS of my choice I simply disallow the use of any other DNS. 

I'm just not sure how to create rule a) as I don't know how to select the XG as the source device. Do I need to create a new source IP and use the XG's LAN IP?

Hi,

Alternatively why not create a block rule at the top to stop any external DNS access.

How many LANs are configured on your XG?

You would not need a rule to allow the XG to access the external DNS because the access is from the external interface which in controlled by firewall rules (my opinion).

Ian

deleted incorrect suggestion.

Hi,

Alternatively why not create a block rule at the top to stop any external DNS access.

How many LANs are configured on your XG?

You would not need a rule to allow the XG to access the external DNS because the access is from the external interface which in controlled by firewall rules (my opinion).

Ian

deleted incorrect suggestion.

Hello Ian,

In order for your suggestion to work he would need to set the XG as the DNS server in the DHCP settings.  Otherwise, the XG would simply pass the DNS server IPs to the internal clients and the internal clients would attempt to contact the DNS servers directly which would be blocked by your firewall rule suggestion.

Hi Casual_user,

he is using an internal DNS which points at the XG DNS so the firewall rule would block all external DNS requests from the LAN.

Ian

Just to give some more info: 

Currently the DC also has the DHCP and DNS roles (hopefully to be changed soon) thus DHCP is configured in such a way that all clients use the DC as DNS and the DC then uses the XG as forwarder while the XG uses my ISPs DNS. (I hope I haven't mixed up the terminology here). 

Unfortunately, I have a couple of workstations where non-IT personnel has admin rights. it is these that I want to stop from manually changing their DNS to an external one. obviously a transparent DNAT of DNS requests would be the easiest way but since its not yet possible I am looking for a workaroudn to fix exactly this one issue.

btw. I foudn this thread which sounds like Web > General Settings >  Pharming Protection would intercept DNS queries but I can't even find that menu on my XG.

community.sophos.com/.../387129

Take a look at this KBA: https://community.sophos.com/kb/en-us/132634

Pharming Protection is hidden in the gui.

You have to expand the advanced settings.