Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 11924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Force DNS requests to an internal server

l0rdraiden

Hello I want to force all DNS requests to an external server to the first step has been to change the DNS server in the DNS section and DHCP, and ok, it works.

Now if a client has a different DNS server configured they will bypass my DNS server, how can I avoid this?

 

With this approach https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/96094/how-to-force-dhcp-clients-to-use-specific-dns-adress-like-8-8-8-8

I understand that I can block other DNS servers, but what I want is not to block them but redirect them to my local DNS server, I have been trying with DNAT rules but I can get it work, still DNS request go outside without being force to go through my DNS server.

How can I implement the behaviour I want?

I have been readling a little bit more a looks like Sophos is not able to capture all traffic in a port to redirect it because you can not have source address ANY. This is a shame, this feature is avaiable in any other comercial firewall, even in free firewalls like ipfire, opensense, pfsense, etc. you can do that.

This is another basic thing that can't be done in Sophos XG I don't understand the roadmap of this product and I don't understand how this can be called a enterprise grade firewall if can't work with basic firewall rules, in Sophos UTM is possible, as usual it's a more powerful firewall.

More info here

community.sophos.com/.../how-to-replicate-utm-rule-to-redirect-dns-ntp-to-internal-server



This thread was automatically locked due to age.
  • 0

    There is not an option either to say all IP's except.., or invert the rule. Enterprise grade firewall, they call it. Basic features available in open source firewalls.

  • 0

    I have the XG setup to provide DNS servers to the LAN and block all attempts from the LAN to access external DNS servers.  In my case, I have the XG firewall listed as the DNS server in DHCP settings.  Then I list the DNS servers I want users to access in the DNS settings.  I then added a rule at the top of the firewall rules that blocks all external DNS access from the LAN.

    It works perfectly with LAN clients only accessing the DNS servers in want and blocking access to all the rest.

  • 0 in reply to Casual_User

    I have done something similar, I only allow DNS traffic from LAN to wan to the DNS servers I have configured in Sophos XG. (1.1.1.1, 1.0.0.1)

    Then I block all other DNS trafffic to WAN

    I would like to have and additional rule between both to redirect all the DNS traffic that doesn't go to SophosXG IP, to Sophos XG IP but apparently considering the limitations of Sophos firewall rules this can not be done. So don't end up with DNS traffic blocked just redirected where I want it.

    Could you post pics of your configuration?

     

    What is the advantage of giving Sophos IP as DNS server in the DHCP configuration vs provide directly the IP's configured in the DNS settings?

  • 0 in reply to l0rdraiden

    Hi,

    the easy bit, the DNS settings in your screenshot affect the XG only when it is doing various lookups. The DNS settings in the DHCP server if pointed at the XG then use the XG as a proxy.

    Ian

  • 0 in reply to rfcat_vk

    But then, there is way to make a forwarding rule to redirect all the outgoing traffic in port 53 to sophos XG?

     

    The problem is that Sophos XG for some weird reason doesnt allow to choose WAN as destination, something that any other commercial firewall would allow.

  • +1 in reply to l0rdraiden

    There is no way to force all DNS traffic outgoing from the LAN to every IP of the WAN on port 53 to the XG.  You can do this on UTM, but this feature has not yet been added to the XG.

    We have described the work around above.  You can supply the internal DNS server to your LAN clients through the DHCP configuration.  Then block all LAN to WAN traffic on port 53.  I have done this and it works flawlessly.  On my network, you must use the XG as the DNS server or you cannot access the WAN.

  • 0 in reply to Casual_User

    I use the same kind of setup all the time.

    If you publish your DNS via DHCP, i would assume, all my Clients will use this DNS server. So most likely, if some client does not do this, there could be something wrong with this Client. 

    To simply redirect those clients to XG / other DNS server would not resolve the point, that some client is not using the pre configured DNS server. 

  • 0 in reply to LuCar Toni

    This is not a solution, there are many devices that has hardcoded DNS, as IoT, or anything that doesn't run linux or windows, even some apps has harcoded DNS so it doesn't use the the DHCP settings of the OS.

     

    Anyone knows if with the v18 this is possible since now NAT rules has been decoupled?

    docs.sophos.com/.../sfos_ug.pdf

  • 0 in reply to l0rdraiden

    Actually you should be able to do it. 

    As a NTP Redirect, you should be able in V18 to redirect DNS. 

    V18 EAP1 is released, just try it in a Lab. 

  • 0 in reply to LuCar Toni

    I have been trying in my lab with the v18 but can't find how to do it.

     

    In other firewalls is as simple as

    Source LAN

    Destination WAN

    Service 53

    Redirect to "local DNS server"