Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 5 answers
  • Subscribers 5 subscribers
  • Views 29176 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Block-Outside-DNS?

TitanRob16

Hi all,

 

I just have a quick question regarding the Sophos SSL VPN within UTM 9 - does it automatically block outside DNS from being used? 

The reason I ask is because I'm setting up our Sophos VPN so we can retire our IPCop server, and on that we had to configure it to push the block-outside-dns setting, so it would then automatically obtain the DNS addresses from the VPN connection, rather than the local router. Is this something I would also need to configure with the Sophos UTM? 

 

Regards,

 

Rob



This thread was automatically locked due to age.
  • 0

    you can configure ssl-vpn to obtain dns-server adressses from vpn-connection.

    Remote-Access / Advanced there you find the options that can be configured to be pushed by dhcp to the ssl-vpn-client.

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    Thanks, although when I go here all I can see are the Cryptographic settings, compression settings and the debug settings. None of these give an option to block outside DNS, which makes me wonder if it needs to be done with the Sophos or not. 

  • 0 in reply to TitanRob16

    you dont need to block outside dns.. dns is needed to have name resolution... so if your clients should be able to do do websurfing they need a dns server.

    if you dont give the dns-servers with your ssl-vpn-connection then clients use their own ones.. so it is sometimes impossible to use internal dns names not beeing resolved by internet dns..

     

    best practice is here to configure internal dns server / internal wins server and your internal domain name so your connected clients can use internal ressources per name as they where located internal....

     

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    also you look wrong place:

     

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    Thanks, although this is something we had to do with our old VPN connection as the clients would often use their own router for DNS to resolve internal names, which obviously wouldn't work. The only way around this was to add the option to block outside DNS, and so only the client was forced to send the DNS request through the VPN. 

    I'm just wondering if Sophos does this automatically, or if it just handles the traffic better and so it isn't required. 

  • 0 in reply to TitanRob16

    Rob, is this a Full tunnel or a Split tunnel?  I could be wrong, but my sense is that you cannot get the control that you want over DNS if it's Split.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Full tunnel, I believe. It's not a setting we're particularly wanting - I'm just trying to understand how it handles the DNS requests and I need to ensure we won't run into the same issue as we did with the IPCop server where it would send the VPN DNS traffic to the local router, therefore not being able to resolve anything. 

  • 0 in reply to TitanRob16

    Rob, please confirm that this is SSL VPN Remote Access and not site-to-site.

    Earlier, you said, "The only way around this was to add the option to block outside DNS, and so only the client was forced to send the DNS request through the VPN."  How did you block the traffic?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes, this is SSL VPN Remote Access. 

    With IPCop, we had to add "block-outside-DNS" to the configuration file. Once done, the VPN client would then only resolve DNS names through the VPN tunnel, rather than through the local router. Hopefully that makes sense. 

    As I said, it's not particularly an option we want to enable on the Sophos - I'm just looking to understand how it handles the traffic. 

     

  • 0 in reply to TitanRob16

    You could create a DNAT rule like this:

    Traffic from: SSL remote access
    Using service: DNS
    Going to: Internet IPv4

    DNAT to: internal (address) (or use the 10.242.2.1 as destination in case you use the default IP-ranges)

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Cookie Information Banner