Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sonicwall ProxyDNS over SSLVPN

secallonasecallona Newbie ✭

Hello,

I have ProxyDNS configured for my internal networks and it works perfectly. I have two different windows domains configured and they resolve with splitDNS.

When clients connect with SSLVPN I can't (or I don't know how) assign my sonicwall as DNS server to resolve all queries.

I looked this page: Can iuse DNS proxy feature for SSL VPN users — SonicWall Community

...but "disable DNS cache" not work for me.

¿How can I configure Dns option in sslvn connection, to use my Sonicwall DNS proxy?


Thanks in advance,


Alex

Category: VPN Client
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Are your SSLVPN clients allowed to connect to the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS as the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS lookup order?

    Show us / describe your config more...

  • secallonasecallona Newbie ✭

    When clients connect, the sonicwall gives them an IP from a range, but the DNS it gives are the DNS of the internal domain controllers (because that's how I configured it). My internal ip of the sonicwall is 172.168.2.1 and those of the dc's are 172.168.2.202 and 204.

    I assign clients dns 202 and 204. They resolve one of my domains fine, but they don't use sonicwall as DNS and they don't resolve the other internal domain I have on my mouth 172.168.3.X (network to which I don't I want to give access).

    If I do an nslookup on 172.168.2.1 (internal sonicwall) from sslvpn, it doesn't solve anything. I don't have access to it.


    Sorry my traductor english 😅

  • secallonasecallona Newbie ✭

    Are your SSLVPN clients allowed to connect to the internal interface of the Sonicwall?

    • I think NO

    Are you setting the SSLVPN client DNS as the internal interface of the Sonicwall?

    • No. I only probe nslookup before change this parameter

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    I hope you are mistyping 192.168.x.x and you are not actually using 172.168.x.x as your internal subnet.

    I dont know if what you are trying to accomplish is possible but I was trying to guide you to settings that you can test.

  • secallonasecallona Newbie ✭

    Perfect, and I appreciate it.

    I would simply like vpn clients to be able to have the sonicwall's DNS confgiured, and have it resolve internal and external domains (split dns proxy).

    There must be some option, permission, or access that I'm not setting, or I'm doing it wrong.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    My questions were to guide you to the settings you should test with.

    "Are your SSLVPN clients allowed to connect to the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS as the internal interface of the Sonicwall? Are you setting the SSLVPN client DNS lookup order?"

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @secallona maybe it should escalated to SNWL support. I did a few tests on a TZ 400 (6.5.4.12) and was not able to use the DNS Proxy with SSL-VPN. I added the necessary Management Rule, even tried some NAT rules, no luck.

    According to the Packet-Monitor the DNS request get received by the SNWL but no answer is sent back to the Client what was somewhat weird.

    --Michael@BWC

  • secallonasecallona Newbie ✭
    edited December 2023

    Hello,

    Now, I upgrade my sonicwall, and I have a TZ670. This FW has the same config than my old TZ200.


    DNS name resolution from sslvpn clients stills not working. Any update or solution to this issue?

  • RJHRJH Newbie ✭

    I have made this work on the NSA 2700.

    You need to add a fake interface to do this. I created a Zone called SSLDNS, then assigned this to a virtual port on a random interface (x0 with a VLAN in my case) and provide an IP such as 10.10.10.254 mask 255.255.255.254. Then you need an address object of this ip in the new SSLDNS Zone (note use range not host even though it is only for 1 IP due to a bug in the access rules policies). Add this address object to the client route in the SSLVPN Client settings and the User Group VPN access list. Create a DNS policy to allow proxy from SSLVPN and limit to SSLVPN IP Pool. Create an access rule for SSLVPN to SSLDNS (or whatever you called your zone), for DNS traffic. Finally set the DNS server in your SSLVPN client setting to the SSLDNS zone interface (10.10.10.254 in this example).

Sign In or Register to comment.