Results 1 to 6 of 6
  1. #1
    Untangler
    Join Date
    Dec 2018
    Posts
    64

    Default SSL Inspector and DNS Path

    Hi all,

    I noticed something that seems odd (or perhaps not), but when SSL Inspector is engaged, DNS requests go out via the DNS server assigned in the External interface; however, if disabled, it goes out as expected over the Tunnel VPN tunnel. Neither SSL Inspector nor Tunnel VPN have rules that would trigger this behavior. Any thoughts as to the order of processing and why this may happen?

  2. #2
    Untangler
    Join Date
    Dec 2018
    Posts
    64

    Default

    Guess not. Definitely odd behavior.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    DNS isn't changed by SSL Inspector.

    What you're seeing is how Untangle handles DNS in general. TunnelVPN is a "wan" interface, and any DNS on any WAN interface is used at random by DNSMasq on Untangle to service any device behind Untangle.

    So if you want devices to use DNS over the tunnel, you need to use DHCP to configure them to do so. Or you can use a port forward...

    There are a bunch of paths you can follow, but none of them are terribly good for different reasons.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Dec 2018
    Posts
    64

    Default

    Quote Originally Posted by sky-knight View Post
    DNS isn't changed by SSL Inspector.

    What you're seeing is how Untangle handles DNS in general. TunnelVPN is a "wan" interface, and any DNS on any WAN interface is used at random by DNSMasq on Untangle to service any device behind Untangle.

    So if you want devices to use DNS over the tunnel, you need to use DHCP to configure them to do so. Or you can use a port forward...

    There are a bunch of paths you can follow, but none of them are terribly good for different reasons.
    Thanks. I actually use a port forward rule to send all non-VPN DNS requests to a public DNS server, but it normally only applies to devices that fall outside of TunnelVPN. Is there a way to have a port forward rule to force DNS requests through the tunnel? I prefer the DNS requests to go through the Tunnel so they're encrypted as Untangle doesn't have DNS over TLS as of yet. DNS requests except devices bypassing the tunnel do indeed go through the tunnel until I enable SSL inspector.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    Yes, port forward rules don't care about destination. So you can match UDP/TCP traffic destined for port 53 and forward to whatever you want. That new destination box usually is aimed at something on the LAN, but it doesn't have to. Just beware, you need to be very careful with your rule so you don't break Untangle's DNS!

    Use JCoffin's rule as an example: https://forums.untangle.com/networki...tml#post241439
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Dec 2018
    Posts
    64

    Default

    Quote Originally Posted by sky-knight View Post
    Yes, port forward rules don't care about destination. So you can match UDP/TCP traffic destined for port 53 and forward to whatever you want. That new destination box usually is aimed at something on the LAN, but it doesn't have to. Just beware, you need to be very careful with your rule so you don't break Untangle's DNS!

    Use JCoffin's rule as an example: https://forums.untangle.com/networki...tml#post241439
    That's exactly the rule I'm using, however, it does not affect DNS going through Tunnel VPN, only devices bypassing the Tunnel which is the behavior I want, but SSL Inspector throws a monkey wrench in it somehow. I know I can also have DHCP hand out the DNS server, but those requests will go out unencrypted even if I use a VPN's DNS server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2