SSL VPN - Block-Outside-DNS?

you can configure ssl-vpn to obtain dns-server adressses from vpn-connection.

Remote-Access / Advanced there you find the options that can be configured to be pushed by dhcp to the ssl-vpn-client.

Thanks, although when I go here all I can see are the Cryptographic settings, compression settings and the debug settings. None of these give an option to block outside DNS, which makes me wonder if it needs to be done with the Sophos or not. 

Full tunnel, I believe. It's not a setting we're particularly wanting - I'm just trying to understand how it handles the DNS requests and I need to ensure we won't run into the same issue as we did with the IPCop server where it would send the VPN DNS traffic to the local router, therefore not being able to resolve anything. 

Rob, please confirm that this is SSL VPN Remote Access and not site-to-site.

Earlier, you said, "The only way around this was to add the option to block outside DNS, and so only the client was forced to send the DNS request through the VPN."  How did you block the traffic?

Cheers - Bob

Yes, this is SSL VPN Remote Access. 

With IPCop, we had to add "block-outside-DNS" to the configuration file. Once done, the VPN client would then only resolve DNS names through the VPN tunnel, rather than through the local router. Hopefully that makes sense. 

As I said, it's not particularly an option we want to enable on the Sophos - I'm just looking to understand how it handles the traffic. 

You could create a DNAT rule like this:

Traffic from: SSL remote access
Using service: DNS
Going to: Internet IPv4

DNAT to: internal (address) (or use the 10.242.2.1 as destination in case you use the default IP-ranges)

Apijnappels, I wouldn't do it like that.  I would just use 'Remote Access >> Advanced' to set DNS to the IP of the internal DNS server and, secondarily, to the IP of "Internal (Network)" as zaphod showed him above.

Cheers - Bob

@Balfson, I would do the same, but it is not the same as blocking access to external DNS server. A user can override the DHCP assigned DNS server. A DNAT rule will prevent the possibility to ever reach an external DNS-server.

I admit that it's not clear to me whether he's talking about his old router getting DNS for internal users from an outside DNS server or what.

The user's DNS request to a server in the remote LAN would stay in the remote LAN, immune to the DNAT in the UTM.  Since the tunnel is from the PC to the UTM, and not between the router and the UTM, we have no control over the router.  The router has no idea the UTM exists.

If the current router in the remote office can't do an IPsec tunnel with the UTM, then maybe he needs a small SG with Network Protection. [:)]

Cheers - Bob

I think he routes all traffic over the VPN since before he needed another product specifically for blocking external DNS requests. This other product can also not handle traffic that doesn't travel over the VPN and goes out directly to the router at the client side of the VPN tunnel. But these are all assumptions.....

Hi Balfson & Apijnappels,

When you have a DNS configured in the SSL VPN settings, doesn't this enforce all DNS requests to be made via the UTM/XG first? This is to establish whether FQDNs are to go over the tunnel or to the internet (in split tunnel mode)?

It would make sense but that's just conjecture.

Emile

Agreed, Emile, but, as apijnappels noted, the user could change the DNS settings on his PC after establishing the tunnel.

Cheers - Bob

Agreed, Emile, but, as apijnappels noted, the user could change the DNS settings on his PC after establishing the tunnel.

Cheers - Bob

Hi Bob,

Ah yes, very true!

Emile