Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos v19 - Web Proxy or DPI-SSL web filtering & DNS requests

ADJ

Hi,

I have a question about Web content filtering using either Web proxy or DPI-SSL and DNS requests/resolution.

I have Sophos firewall set up in bridge mode with Netgear router as the gateway and for DNS.

The Netgear router handles DHCP and DNS, whilst the Sophos firewall handles web filtering (some devices use Web proxy and some others use DPI-SSL), as well VLANs etc.

I use OpenDNS for my DNS servers on the Netgear router - which the Sophos firewall points to.

I've noticed that even though I have either Web proxy or DPI-SSL enabled - using a few test URLs for blocking (some news sites and clothing sites), their DNS requests/URLs still appear in the OpenDNS stats/logs, despite the Sophos firewall blocking them (I don't have the "show warning page" enabled - just a "connection timed out" page instead).

Maybe my understanding of DNS requests is too simple - but given that the DNS name request is in plaintext before the TLS handshake, (DoH is not being used), shouldn't the Sophos firewall pick up that DNS plaintext request as it leaves the network, run it against the URL category database and then block it or allow it depending on the web content policy applied?

It's almost as if the Sophos firewall is blocking the DNS request as it returns back into the network once it has been resolved. And given that the URL category lookup tool under Diagnostics uses characters and not IP addresses, I would have assumed this is how the web proxy/DPI-SSL also works on the firewall.

Or is my setup wrong? Is my understanding of how DNS are resolved into IP addresses wrong?

Happy to be corrected.

Thanks.



This thread was automatically locked due to age.
  • 0

    Hello ADJ,

    Thank you for reaching out to the community, with the use of web proxy and DPI engine, did you enable the options like "Scan HTTP and decrypted HTTPS" under the FW rule? And have you installed the SSL CA certificate in end user client machine ?
    > SSL CA certificate installation guide: https://support.sophos.com/support/s/article/KB-000035645?language=en_US
    > DNS resolution precedence: https://support.sophos.com/support/s/article/KB-000038157?language=en_US

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Web Proxy works on level of SNI. 

    This means, the SNI is written in the TLS Handshake and SFOS will pickup this request. Because DNS is not as effective (if not contra productive cause of the Alias stuff etc.). 

    https://en.wikipedia.org/wiki/Server_Name_Indication

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Oh right, I see what you are saying about the web proxy - it is only after the DNS has been fully resolved and the TLS handshake is started that the web proxy will intercept and block it? Meaning that the DNS request will still show up in the OpenDNS logs regardless?

    Does this also apply to DPI-SSL as well, working on the SNI instead of DNS?

  • 0 in reply to Vivek Jagad

    Yes - "Scan HTTP and decrypted HTTPS" is enabled and both security appliance and defualt appliance certifcates are installed on all machines via the management console. 
    I have noticed in the zones ACL that "DNS" is ticked, meaning that Sophos will act as a DNS server, think I will untick those to ensure that the Netgear is used for DNS. 
    Out of curiosity, would it be worth having the firewall in gateway mode rather than bridge mode behind the Netgear router? Is it possible to "unbridge" a bridged interface?

  • 0

    Are you using the Umbrella Roaming Client on these machines?  I believe that sends the DNS encrypted to OpenDNS, which would bypass the firewall.

  • 0 in reply to Brian1941

    No and DNS over HTTPS is not being used - I should have stated that this is a home environment.

    I think I understand what is happening here.

    Before a device can connect to a site it needs the domain resolved to an IP address. In this case, OpenDNS resolves that request as it is the designated DNS in the Netgear router. The Sophos firewall doesn't inspect UDP 53 requests, unless you have them blocked in a firewall rule. (Is it possible to have Sophos inspect requests this way, or not?)

    When a device then connects to that site, Sophos inspects the SNI as part of the TLS "ClientHello" handshake and allows/blocks the access, depending on the policy.

    So there are two sets of logs - DNS requests/lookups and the Sophos allowed/blocked logs.

    Just because a device was able to lookup/resolve a domain via the OpenDNS logs doesn't mean it was able to access that site if it was blocked by Sophos. (It is much like pinging a website.)

    You can't block a website until you resolve its IP address and match it to a database, correct?

    And also, OpenDNS is community based so its database of domains is not extensive as Sophos' so even if a domain was blocked by Sophos, OpenDNS would still resolve that domain (if it isn't blocked on OpenDNS as well).

    That is my take on it all - but if I am wrong, please let me know. 

    Thanks. 

Unfiltered HTML