SSL VPN - Block-Outside-DNS?

you can configure ssl-vpn to obtain dns-server adressses from vpn-connection.

Remote-Access / Advanced there you find the options that can be configured to be pushed by dhcp to the ssl-vpn-client.

Thanks, although when I go here all I can see are the Cryptographic settings, compression settings and the debug settings. None of these give an option to block outside DNS, which makes me wonder if it needs to be done with the Sophos or not. 

you dont need to block outside dns.. dns is needed to have name resolution... so if your clients should be able to do do websurfing they need a dns server.

if you dont give the dns-servers with your ssl-vpn-connection then clients use their own ones.. so it is sometimes impossible to use internal dns names not beeing resolved by internet dns..

best practice is here to configure internal dns server / internal wins server and your internal domain name so your connected clients can use internal ressources per name as they where located internal....

also you look wrong place:

Thanks, although this is something we had to do with our old VPN connection as the clients would often use their own router for DNS to resolve internal names, which obviously wouldn't work. The only way around this was to add the option to block outside DNS, and so only the client was forced to send the DNS request through the VPN. 

I'm just wondering if Sophos does this automatically, or if it just handles the traffic better and so it isn't required. 

Thanks, although this is something we had to do with our old VPN connection as the clients would often use their own router for DNS to resolve internal names, which obviously wouldn't work. The only way around this was to add the option to block outside DNS, and so only the client was forced to send the DNS request through the VPN. 

I'm just wondering if Sophos does this automatically, or if it just handles the traffic better and so it isn't required. 

Rob, is this a Full tunnel or a Split tunnel?  I could be wrong, but my sense is that you cannot get the control that you want over DNS if it's Split.

Cheers - Bob

Full tunnel, I believe. It's not a setting we're particularly wanting - I'm just trying to understand how it handles the DNS requests and I need to ensure we won't run into the same issue as we did with the IPCop server where it would send the VPN DNS traffic to the local router, therefore not being able to resolve anything. 

Rob, please confirm that this is SSL VPN Remote Access and not site-to-site.

Earlier, you said, "The only way around this was to add the option to block outside DNS, and so only the client was forced to send the DNS request through the VPN."  How did you block the traffic?

Cheers - Bob

Yes, this is SSL VPN Remote Access. 

With IPCop, we had to add "block-outside-DNS" to the configuration file. Once done, the VPN client would then only resolve DNS names through the VPN tunnel, rather than through the local router. Hopefully that makes sense. 

As I said, it's not particularly an option we want to enable on the Sophos - I'm just looking to understand how it handles the traffic. 

You could create a DNAT rule like this:

Traffic from: SSL remote access
Using service: DNS
Going to: Internet IPv4

DNAT to: internal (address) (or use the 10.242.2.1 as destination in case you use the default IP-ranges)

Apijnappels, I wouldn't do it like that.  I would just use 'Remote Access >> Advanced' to set DNS to the IP of the internal DNS server and, secondarily, to the IP of "Internal (Network)" as zaphod showed him above.

Cheers - Bob

@Balfson, I would do the same, but it is not the same as blocking access to external DNS server. A user can override the DHCP assigned DNS server. A DNAT rule will prevent the possibility to ever reach an external DNS-server.

I admit that it's not clear to me whether he's talking about his old router getting DNS for internal users from an outside DNS server or what.

The user's DNS request to a server in the remote LAN would stay in the remote LAN, immune to the DNAT in the UTM.  Since the tunnel is from the PC to the UTM, and not between the router and the UTM, we have no control over the router.  The router has no idea the UTM exists.

If the current router in the remote office can't do an IPsec tunnel with the UTM, then maybe he needs a small SG with Network Protection. [:)]

Cheers - Bob

I think he routes all traffic over the VPN since before he needed another product specifically for blocking external DNS requests. This other product can also not handle traffic that doesn't travel over the VPN and goes out directly to the router at the client side of the VPN tunnel. But these are all assumptions.....

Hi Balfson & Apijnappels,

When you have a DNS configured in the SSL VPN settings, doesn't this enforce all DNS requests to be made via the UTM/XG first? This is to establish whether FQDNs are to go over the tunnel or to the internet (in split tunnel mode)?

It would make sense but that's just conjecture.

Emile