Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 3696 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to do transparent DNAT of DNS queries?

PreHCM-PK

Here is the scenario:

- XG 135 

- all clients get DNS settings via DHCP pointing them to the domain controller which does DNS

- domain controller resolves its DNS queries to the XG

- XG resolves DNS queries via my ISP DNS server and 8.8.8.8 as fallback

 

I would like to create a rule which grabs every DNS query going to to through the WAN to be pointed to the XG itself, basically a protection in case someone manages to change his DNS to an external DNS server. Not sure where and how this rule should be created. Any hints?



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Unfortunately, this cannot be done at present on the XG.  You can find a feature request here:

    ideas.sophos.com/.../32116999-user-dnat-rules

  • 0 in reply to Casual_User

    Unbelievable. 

     

    In this case, can someone help me create a workaround? 

     

    Currently the XG has the following settings: Administration => Device Settings =>All zones except WAN have DNS checked. 

    I think this means that clients from every zone except WAN is allowed to use the XG as their DNS server, right? 

     

    I think I could create a workaround with 2 rules: 

    a) allow DNS traffic from the XG to ANY

    b) block DNS traffic from ANY to ANY

     

    Since the rules are being applied in order this should stop anyone changing their own DNS settings so rather than transparently making them use the DNS of my choice I simply disallow the use of any other DNS. 

     

    I'm just not sure how to create rule a) as I don't know how to select the XG as the source device. Do I need to create a new source IP and use the XG's LAN IP?

  • 0 in reply to PreHCM-PK

    Hi,

    Alternatively why not create a block rule at the top to stop any external DNS access.

    How many LANs are configured on your XG?

    You would not need a rule to allow the XG to access the external DNS because the access is from the external interface which in controlled by firewall rules (my opinion).

    Ian

     

    deleted incorrect suggestion.

  • 0 in reply to rfcat_vk

    Hello Ian,

    In order for your suggestion to work he would need to set the XG as the DNS server in the DHCP settings.  Otherwise, the XG would simply pass the DNS server IPs to the internal clients and the internal clients would attempt to contact the DNS servers directly which would be blocked by your firewall rule suggestion.

  • 0 in reply to Casual_User

    Hi Casual_user,

    he is using an internal DNS which points at the XG DNS so the firewall rule would block all external DNS requests from the LAN.

    Ian

  • 0 in reply to rfcat_vk

    Just to give some more info: 

     

    Currently the DC also has the DHCP and DNS roles (hopefully to be changed soon) thus DHCP is configured in such a way that all clients use the DC as DNS and the DC then uses the XG as forwarder while the XG uses my ISPs DNS. (I hope I haven't mixed up the terminology here). 

     

    Unfortunately, I have a couple of workstations where non-IT personnel has admin rights. it is these that I want to stop from manually changing their DNS to an external one. obviously a transparent DNAT of DNS requests would be the easiest way but since its not yet possible I am looking for a workaroudn to fix exactly this one issue.

  • 0 in reply to PreHCM-PK

    btw. I foudn this thread which sounds like Web > General Settings >  Pharming Protection would intercept DNS queries but I can't even find that menu on my XG.

     

    community.sophos.com/.../387129

  • 0 in reply to PreHCM-PK

    Take a look at this KBA: https://community.sophos.com/kb/en-us/132634

    Pharming Protection is hidden in the gui.

    You have to expand the advanced settings.

Reply Children
No Data