SSL VPN - Block-Outside-DNS?

Question

Hi all, 
 
 I just have a quick question regarding the Sophos SSL VPN within UTM 9 - does it automatically block outside DNS from being used? 
 The reason I ask is because I'm setting up our Sophos VPN so we can retire our IPCop server, and on that we had to configure it to push the block-outside-dns setting, so it would then automatically obtain the DNS addresses from the VPN connection, rather than the local router. Is this something I would also need to configure with the Sophos UTM? 
 
 Regards, 
 
 Rob

zaphod · Answer

you can configure ssl-vpn to obtain dns-server adressses from vpn-connection. 
 Remote-Access / Advanced there you find the options that can be configured to be pushed by dhcp to the ssl-vpn-client.

zaphod · Answer

you dont need to block outside dns.. dns is needed to have name resolution... so if your clients should be able to do do websurfing they need a dns server. 
 if you dont give the dns-servers with your ssl-vpn-connection then clients use their own ones.. so it is sometimes impossible to use internal dns names not beeing resolved by internet dns.. 
 
 best practice is here to configure internal dns server / internal wins server and your internal domain name so your connected clients can use internal ressources per name as they where located internal....

zaphod · Answer

also you look wrong place:

apijnappels · Answer

You could create a DNAT rule like this: 
 Traffic from: SSL remote access Using service: DNS Going to: Internet IPv4 
 DNAT to: internal (address) (or use the 10.242.2.1 as destination in case you use the default IP-ranges)

BAlfson · Answer

Thanks for putting that all together in one spot, Rob. 
 
 In your SSL VPN Profile, put your LAN(s) and the "Internet" object in 'Local Networks' 
 On 'Remote Access >> Advanced', list the internal IP of your local DNS server, followed by the IP of "Internal (Address)" 
 In 'Network Services >> DNS', add "VPN Pool (SSL)" to 'Allowed Networks' 
 In 'Network Protection >> Firewall', confirm that you don't have a rule that would allow VPN users to do DNS requests directly to the Internet. 
 
 You also might want to take a look at DNS Best Practice . 
 Cheers - Bob