Sonicwall ProxyDNS over SSLVPN
secallona
Newbie ✭
in VPN Client
Hello,
I have ProxyDNS configured for my internal networks and it works perfectly. I have two different windows domains configured and they resolve with splitDNS.
When clients connect with SSLVPN I can't (or I don't know how) assign my sonicwall as DNS server to resolve all queries.
I looked this page: Can iuse DNS proxy feature for SSL VPN users — SonicWall Community
...but "disable DNS cache" not work for me.
¿How can I configure Dns option in sslvn connection, to use my Sonicwall DNS proxy?
Thanks in advance,
Alex
Category: VPN Client
0
Answers
Are your SSLVPN clients allowed to connect to the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS as the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS lookup order?
Show us / describe your config more...
When clients connect, the sonicwall gives them an IP from a range, but the DNS it gives are the DNS of the internal domain controllers (because that's how I configured it). My internal ip of the sonicwall is 172.168.2.1 and those of the dc's are 172.168.2.202 and 204.
I assign clients dns 202 and 204. They resolve one of my domains fine, but they don't use sonicwall as DNS and they don't resolve the other internal domain I have on my mouth 172.168.3.X (network to which I don't I want to give access).
If I do an nslookup on 172.168.2.1 (internal sonicwall) from sslvpn, it doesn't solve anything. I don't have access to it.
Sorry my traductor english 😅
Are your SSLVPN clients allowed to connect to the internal interface of the Sonicwall?
Are you setting the SSLVPN client DNS as the internal interface of the Sonicwall?
I hope you are mistyping 192.168.x.x and you are not actually using 172.168.x.x as your internal subnet.
I dont know if what you are trying to accomplish is possible but I was trying to guide you to settings that you can test.
Perfect, and I appreciate it.
I would simply like vpn clients to be able to have the sonicwall's DNS confgiured, and have it resolve internal and external domains (split dns proxy).
There must be some option, permission, or access that I'm not setting, or I'm doing it wrong.
My questions were to guide you to the settings you should test with.
"Are your SSLVPN clients allowed to connect to the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS as the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS lookup order?"
@secallona maybe it should escalated to SNWL support. I did a few tests on a TZ 400 (6.5.4.12) and was not able to use the DNS Proxy with SSL-VPN. I added the necessary Management Rule, even tried some NAT rules, no luck.
According to the Packet-Monitor the DNS request get received by the SNWL but no answer is sent back to the Client what was somewhat weird.
--Michael@BWC
Hello,
Now, I upgrade my sonicwall, and I have a TZ670. This FW has the same config than my old TZ200.
DNS name resolution from sslvpn clients stills not working. Any update or solution to this issue?
I have made this work on the NSA 2700.
You need to add a fake interface to do this. I created a Zone called SSLDNS, then assigned this to a virtual port on a random interface (x0 with a VLAN in my case) and provide an IP such as 10.10.10.254 mask 255.255.255.254. Then you need an address object of this ip in the new SSLDNS Zone (note use range not host even though it is only for 1 IP due to a bug in the access rules policies). Add this address object to the client route in the SSLVPN Client settings and the User Group VPN access list. Create a DNS policy to allow proxy from SSLVPN and limit to SSLVPN IP Pool. Create an access rule for SSLVPN to SSLDNS (or whatever you called your zone), for DNS traffic. Finally set the DNS server in your SSLVPN client setting to the SSLDNS zone interface (10.10.10.254 in this example).