Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos v19 - Web Proxy or DPI-SSL web filtering & DNS requests

ADJ

Hi,

I have a question about Web content filtering using either Web proxy or DPI-SSL and DNS requests/resolution.

I have Sophos firewall set up in bridge mode with Netgear router as the gateway and for DNS.

The Netgear router handles DHCP and DNS, whilst the Sophos firewall handles web filtering (some devices use Web proxy and some others use DPI-SSL), as well VLANs etc.

I use OpenDNS for my DNS servers on the Netgear router - which the Sophos firewall points to.

I've noticed that even though I have either Web proxy or DPI-SSL enabled - using a few test URLs for blocking (some news sites and clothing sites), their DNS requests/URLs still appear in the OpenDNS stats/logs, despite the Sophos firewall blocking them (I don't have the "show warning page" enabled - just a "connection timed out" page instead).

Maybe my understanding of DNS requests is too simple - but given that the DNS name request is in plaintext before the TLS handshake, (DoH is not being used), shouldn't the Sophos firewall pick up that DNS plaintext request as it leaves the network, run it against the URL category database and then block it or allow it depending on the web content policy applied?

It's almost as if the Sophos firewall is blocking the DNS request as it returns back into the network once it has been resolved. And given that the URL category lookup tool under Diagnostics uses characters and not IP addresses, I would have assumed this is how the web proxy/DPI-SSL also works on the firewall.

Or is my setup wrong? Is my understanding of how DNS are resolved into IP addresses wrong?

Happy to be corrected.

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Are you using the Umbrella Roaming Client on these machines?  I believe that sends the DNS encrypted to OpenDNS, which would bypass the firewall.

  • 0 in reply to Brian1941

    No and DNS over HTTPS is not being used - I should have stated that this is a home environment.

    I think I understand what is happening here.

    Before a device can connect to a site it needs the domain resolved to an IP address. In this case, OpenDNS resolves that request as it is the designated DNS in the Netgear router. The Sophos firewall doesn't inspect UDP 53 requests, unless you have them blocked in a firewall rule. (Is it possible to have Sophos inspect requests this way, or not?)

    When a device then connects to that site, Sophos inspects the SNI as part of the TLS "ClientHello" handshake and allows/blocks the access, depending on the policy.

    So there are two sets of logs - DNS requests/lookups and the Sophos allowed/blocked logs.

    Just because a device was able to lookup/resolve a domain via the OpenDNS logs doesn't mean it was able to access that site if it was blocked by Sophos. (It is much like pinging a website.)

    You can't block a website until you resolve its IP address and match it to a database, correct?

    And also, OpenDNS is community based so its database of domains is not extensive as Sophos' so even if a domain was blocked by Sophos, OpenDNS would still resolve that domain (if it isn't blocked on OpenDNS as well).

    That is my take on it all - but if I am wrong, please let me know. 

    Thanks. 

Reply
  • 0 in reply to Brian1941

    No and DNS over HTTPS is not being used - I should have stated that this is a home environment.

    I think I understand what is happening here.

    Before a device can connect to a site it needs the domain resolved to an IP address. In this case, OpenDNS resolves that request as it is the designated DNS in the Netgear router. The Sophos firewall doesn't inspect UDP 53 requests, unless you have them blocked in a firewall rule. (Is it possible to have Sophos inspect requests this way, or not?)

    When a device then connects to that site, Sophos inspects the SNI as part of the TLS "ClientHello" handshake and allows/blocks the access, depending on the policy.

    So there are two sets of logs - DNS requests/lookups and the Sophos allowed/blocked logs.

    Just because a device was able to lookup/resolve a domain via the OpenDNS logs doesn't mean it was able to access that site if it was blocked by Sophos. (It is much like pinging a website.)

    You can't block a website until you resolve its IP address and match it to a database, correct?

    And also, OpenDNS is community based so its database of domains is not extensive as Sophos' so even if a domain was blocked by Sophos, OpenDNS would still resolve that domain (if it isn't blocked on OpenDNS as well).

    That is my take on it all - but if I am wrong, please let me know. 

    Thanks. 

Children
No Data
Unfiltered HTML