Hi,
I have a question about Web content filtering using either Web proxy or DPI-SSL and DNS requests/resolution.
I have Sophos firewall set up in bridge mode with Netgear router as the gateway and for DNS.
The Netgear router handles DHCP and DNS, whilst the Sophos firewall handles web filtering (some devices use Web proxy and some others use DPI-SSL), as well VLANs etc.
I use OpenDNS for my DNS servers on the Netgear router - which the Sophos firewall points to.
I've noticed that even though I have either Web proxy or DPI-SSL enabled - using a few test URLs for blocking (some news sites and clothing sites), their DNS requests/URLs still appear in the OpenDNS stats/logs, despite the Sophos firewall blocking them (I don't have the "show warning page" enabled - just a "connection timed out" page instead).
Maybe my understanding of DNS requests is too simple - but given that the DNS name request is in plaintext before the TLS handshake, (DoH is not being used), shouldn't the Sophos firewall pick up that DNS plaintext request as it leaves the network, run it against the URL category database and then block it or allow it depending on the web content policy applied?
It's almost as if the Sophos firewall is blocking the DNS request as it returns back into the network once it has been resolved. And given that the URL category lookup tool under Diagnostics uses characters and not IP addresses, I would have assumed this is how the web proxy/DPI-SSL also works on the firewall.
Or is my setup wrong? Is my understanding of how DNS are resolved into IP addresses wrong?
Happy to be corrected.
Thanks.
This thread was automatically locked due to age.
