Question : does LittleSnitch 3.0.3 "see" IPSec VPN connections so as to monitor connections and apply rules? If so, are there specific filters to constrain DNS queries to a known set of "approved" DNS servers?
Motivation : A remote business office with Mac OS X 10.8.2 computers was compromised when someone gained access to the internal WiFi LAN and re-directed all WiFi clients to use a rogue DNS rather than the ISP's DNS. The attackers also modified the firmware of the Apple WiFi equipment so as to prevent a manual over-ride of the DNS servers back to the correct DNS servers for the ISP. Ultimately, we had to flash the Apple hardware back to an earlier version to regain control and force a reset of the DNS entries.
However, we have noticed some odd behavior for remote Mac OS X 10.8.2 computers that connected via an IPSec VPN connection (Via VPNTracker software) to the compromised site (e.g., they lost their ability to SAFE BOOT after connecting to the compromised business office LAN). The good news is these remote 10.8.2 computers are running LittleSnitch 3.0.3, but we are not finding a means of "tuning" the DNS rules to ensure that all lookups are restricted (via LittleSnitch) to the approved DNS servers. In fact, we aren't seeing ANY traffic on LittleSnitch related to the VPN tunnel (and use of the remote DNS servers) ... which raises the question as to whether or not LittleSnitch can "see" the actual, unencrypted IPSec VPN traffic so as to apply its rules and filters.
Motivation : A remote business office with Mac OS X 10.8.2 computers was compromised when someone gained access to the internal WiFi LAN and re-directed all WiFi clients to use a rogue DNS rather than the ISP's DNS. The attackers also modified the firmware of the Apple WiFi equipment so as to prevent a manual over-ride of the DNS servers back to the correct DNS servers for the ISP. Ultimately, we had to flash the Apple hardware back to an earlier version to regain control and force a reset of the DNS entries.
However, we have noticed some odd behavior for remote Mac OS X 10.8.2 computers that connected via an IPSec VPN connection (Via VPNTracker software) to the compromised site (e.g., they lost their ability to SAFE BOOT after connecting to the compromised business office LAN). The good news is these remote 10.8.2 computers are running LittleSnitch 3.0.3, but we are not finding a means of "tuning" the DNS rules to ensure that all lookups are restricted (via LittleSnitch) to the approved DNS servers. In fact, we aren't seeing ANY traffic on LittleSnitch related to the VPN tunnel (and use of the remote DNS servers) ... which raises the question as to whether or not LittleSnitch can "see" the actual, unencrypted IPSec VPN traffic so as to apply its rules and filters.