You can benefit from significant performance gains by operating modern business applications in the cloud (e.g. Microsoft Office 365, AWS, etc). Application routing uses rules to direct trusted applications from the branch office directly to the Internet. This relieves the load on the VPN connection to the main office and also on the Internet connection at the main office.
Microsoft explicitly recommends this mode for Office 365. Because these web-based services often have no fixed IP address, they can only be recognized by DNS names. For this purpose, the corresponding DNS targets can be created in the firewall with an appropriate wildcard expression. These packets are marked with a different routing tag so that the router directs them straight to the Internet. As an alternative, layer-7 application control can be implemented in the firewall. This gives you full control over how applications operate on your network. By defining rules for DNS-based applications, you decide which Internet applications are allowed, blocked, limited or prioritized.
If a user now invokes one of these DNS targets in his or her browser, the computer sends a DNS request for this domain. The DNS forwarder in the LANCOM router then forwards this request to the Internet Service Provider. When the response arrives the router stores the returned IP address, and from that moment on this resolution is available in the firewall. The response then continues on to the computer that made the original request. This allows the browser to open the connection to the returned IP address. The firewall recognizes the previously learned IP address and can assign a routing tag correspondingly. Other defined firewall actions can also be applied to this destination, such as allow, block, limit, or prioritize.
Because the firewall remembers the exact DNS address that the user uses for the domain, this mechanism will also work if the domain name resolves to many different IP addresses or to IP addresses that change over time.
Recommendations
The LANCOM router must operate as a DNS server or DNS forwarder on the network, i.e. clients on the local network must use the router as the DNS server. In addition, clients need to be prevented from using DNS-over-TLS and DNS-over-HTTPS (also in the browser) directly with external DNS servers.
- The DHCP server has to communicate the IP address of the router as a DNS server (set by default by the Internet wizard)
- Firewall rules have to be set up that prevent the direct use of external DNS servers, e.g. by blocking the outgoing port 53 (UDP) for clients on the source network
- Firewall rules have to be set up that prevent the direct use of external DNS servers that support DNS-over-TLS, e.g. by blocking the outgoing port 853 (TCP) for clients on the source network
- Disable DNS-over-HTTPS (DoH) in the browser
Notes on how to synchronize the firewall's DNS database:
Since the firewall learns its information from the DNS requests of the clients, in certain situations the DNS database will be incomplete. This can happen in the following situations:
- A new firewall rule is added, but the client still has a cached DNS entry
- The router was recently restarted, and the client still has a cached DNS entry
Helpful in these cases are emptying the DNS cache on the client, rebooting the client, or a time-out of the DNS record on the client.
The router’s own services, such as ping, are not handled by the firewall rules. By sending a ping to a full DNS name (without wildcard expressions), the generation of rule resolutions (DNS to IP addresses) can be performed on-demand either from the CLI (once) or by a cron job.
