SSL VPN - Block-Outside-DNS?

you can configure ssl-vpn to obtain dns-server adressses from vpn-connection.

Remote-Access / Advanced there you find the options that can be configured to be pushed by dhcp to the ssl-vpn-client.

Thanks, although when I go here all I can see are the Cryptographic settings, compression settings and the debug settings. None of these give an option to block outside DNS, which makes me wonder if it needs to be done with the Sophos or not. 

Rob, is this a Full tunnel or a Split tunnel?  I could be wrong, but my sense is that you cannot get the control that you want over DNS if it's Split.

Cheers - Bob

Full tunnel, I believe. It's not a setting we're particularly wanting - I'm just trying to understand how it handles the DNS requests and I need to ensure we won't run into the same issue as we did with the IPCop server where it would send the VPN DNS traffic to the local router, therefore not being able to resolve anything. 

Rob, please confirm that this is SSL VPN Remote Access and not site-to-site.

Earlier, you said, "The only way around this was to add the option to block outside DNS, and so only the client was forced to send the DNS request through the VPN."  How did you block the traffic?

Cheers - Bob

Yes, this is SSL VPN Remote Access. 

With IPCop, we had to add "block-outside-DNS" to the configuration file. Once done, the VPN client would then only resolve DNS names through the VPN tunnel, rather than through the local router. Hopefully that makes sense. 

As I said, it's not particularly an option we want to enable on the Sophos - I'm just looking to understand how it handles the traffic. 

You could create a DNAT rule like this:

Traffic from: SSL remote access
Using service: DNS
Going to: Internet IPv4

DNAT to: internal (address) (or use the 10.242.2.1 as destination in case you use the default IP-ranges)

Apijnappels, I wouldn't do it like that.  I would just use 'Remote Access >> Advanced' to set DNS to the IP of the internal DNS server and, secondarily, to the IP of "Internal (Network)" as zaphod showed him above.

Cheers - Bob

@Balfson, I would do the same, but it is not the same as blocking access to external DNS server. A user can override the DHCP assigned DNS server. A DNAT rule will prevent the possibility to ever reach an external DNS-server.

I admit that it's not clear to me whether he's talking about his old router getting DNS for internal users from an outside DNS server or what.

The user's DNS request to a server in the remote LAN would stay in the remote LAN, immune to the DNAT in the UTM.  Since the tunnel is from the PC to the UTM, and not between the router and the UTM, we have no control over the router.  The router has no idea the UTM exists.

If the current router in the remote office can't do an IPsec tunnel with the UTM, then maybe he needs a small SG with Network Protection. [:)]

Cheers - Bob

I think he routes all traffic over the VPN since before he needed another product specifically for blocking external DNS requests. This other product can also not handle traffic that doesn't travel over the VPN and goes out directly to the router at the client side of the VPN tunnel. But these are all assumptions.....

Hi Balfson & Apijnappels,

When you have a DNS configured in the SSL VPN settings, doesn't this enforce all DNS requests to be made via the UTM/XG first? This is to establish whether FQDNs are to go over the tunnel or to the internet (in split tunnel mode)?

It would make sense but that's just conjecture.

Emile

Hi Balfson & Apijnappels,

When you have a DNS configured in the SSL VPN settings, doesn't this enforce all DNS requests to be made via the UTM/XG first? This is to establish whether FQDNs are to go over the tunnel or to the internet (in split tunnel mode)?

It would make sense but that's just conjecture.

Emile

Agreed, Emile, but, as apijnappels noted, the user could change the DNS settings on his PC after establishing the tunnel.

Cheers - Bob

Hi Bob,

Ah yes, very true!

Emile

This is what I was wondering (you've worded it better than me :)) 

Our old router (the IPCop system I mention) had to have a setting called 'Block-Outside-DNS' in the configuration file to ensure that this happened. We're in the process of replacing the IPCop system with our Sophos UTM (currently making sure the SSL VPN is working, and then we'll move on to configuring it to be the internal router for the office, just as IPCop is). Note: the Sophos UTM/IPCop aren't working as external routers for the office.

I was just wondering whether the Sophos UTM needed a similar setting implemented, or whether it did it automatically to ensure all DNS requests are made through the UTM first. 

Rob, I'm confused.  Is the IPCop in the remote office or in your main office?  If in the main office, what router is in use in the remote office?  Maybe a simple diagram would help - I'm a visual-tactile, so I would have sketched a diagram already, but I don't know what's where. [:(]

Cheers - Bob

Sorry, I haven't explained our current set-up at all. 

The SSL VPN connection is predominantly for users working from home (not a remote office), so it will be a plethora of routers on the other side of the connection.

IPCop is in our main office, and this is the router we shall be replacing with the Sophos UTM. 

IPCop currently acts as an internal router, and manages the SSL VPN connection through OpenVPN. It routes the internal traffic of the main office through our Juniper router (which acts as the external router). 

As we're currently testing the Sophos UTM at the moment, it's currently sitting beside the IPCop router and only manages our Sophos SSL VPN as well as some of our firewall settings. Once we have the Sophos SSL VPN up and running correctly, we'll then transfer the settings from IPCop across to the Sophos. 

Hopefully that makes sense :) 

Thanks for putting that all together in one spot, Rob.

1. In your SSL VPN Profile, put your LAN(s) and the "Internet" object in 'Local Networks'
2. On 'Remote Access >> Advanced', list the internal IP of your local DNS server, followed by the IP of "Internal (Address)"
3. In 'Network Services >> DNS', add "VPN Pool (SSL)" to 'Allowed Networks'
4. In 'Network Protection >> Firewall', confirm that you don't have a rule that would allow VPN users to do DNS requests directly to the Internet.

You also might want to take a look at DNS Best Practice.

Cheers - Bob

Many thanks for this, Bob. Very helpful!