Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 29 subscribers
  • Views 30232 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Turning off Sophos XG DNS server stops resolution of hostname (using external DNS server)?

shred

I'm using Sophos XG as my DHCP server but a separate device (Pi-hole) as my DNS server. Everything works fine and Pi-hole is functioning as expected. However, if I shut down the Sophos XG DNS service, I can no longer access any websites (i.e. no longer able to resolve hostnames). Why is this the case if I'm not using the Sophos XG DNS server? There is a thread here on reddit where a user was able to get it to work only by also using a separate DHCP server. I'm using CloudFlare (1.1.1.1 & 1.0.0.0) as my Upstream DNS servers in Pi-hole, so the Sophos XG DNS server should not be utilized at all.



This thread was automatically locked due to age.
  • 0

    I assume, you are giving the Devices the Pi-Hole as DNS server as DNS server, correct? Do you use a second DNS server?

    The PI-hole uses the XG or a internet based DNS server? 

    Do you have a firewall policy for the second case? And does the firewall rule match? 

  • 0 in reply to LuCar Toni

    Correct, I have the DHCP server (Sophos XG) assigning all clients Pi-hole as the DNS server. I renewed the DHCP lease and verified the devices have the Pi-hole set as the DNS server.

    Pi-hole is using Cloudflare as the Upstream DNS server (internet based).

    I do have a Firewall Policy that allows DNS out. In fact, I also have an "Allow All" firewall rule.

    As mentioned previously, everything works fine except when I stop the Sophos XG DNS server, which I shouldn't be using.

  • 0 in reply to shred

    Lets take a look at the connection. 

    Disable the DNS ACL and perform a DNS lookup. It should open a connection to cloudflare. 

    Next step: Perform a dump on shell (Advanced Shell 5 - 3) 

    tcpdump -ni any port 53 

    Can you post this ? 

  • 0 in reply to LuCar Toni

    Here's about 5-10 seconds tcpdump. I tried to access a website from my web browser (did not work) and I also did a DNS look up from Sophos XG (this actually did work).

    The computer IP address I'm using is 172.16.16.85. My Sophos XG is 172.16.16.16 and Pi-hole is 172.16.16.15. There's obviously a lot of other traffic going on from other devices on my network using DNS.

     

     

    [removed]

  • 0 in reply to shred

    I also did tcpdump host 172.16.16.15 (Pi-hole) with the Sophos XG DNS server off and tried to access some websites which did not resolve:

     

    [removed]

  • 0 in reply to shred

    Can you please do only

    tcpdump -ni any port 53 and host 1.1.1.1 

    And both outputs with enable and disable please. 

  • 0 in reply to LuCar Toni

    Here is with Sophos XG DNS server on:

     

    [removed] 

    Here is with Sophos XG DNS server off (attempted to access 4-5 different sites, did not work):

     

    [removed]

  • 0 in reply to shred

    Do you point the XG at your pi-hole DNS?

    Ian

  • 0 in reply to rfcat_vk

    Are you using the XG as web proxy? Because seems like the XG is doing the DNS request itself and if you turn it of, there are no requests from the client. 

    *edit* plus the .85 client seems to send broken requests, which the XG send correctly to 1.1.1.1

  • 0 in reply to LuCar Toni

    Yeah, I'm using HTTP scanning, HTTPS decrypt and scanning as well as web and application policies, which my understanding uses the Sophos XG web proxy. I added my computer to a firewall rule without any policies and scanning and with the Sophos XG DNS server turned off, it worked. So if the web proxy is enabled, the Sophos XG DNS server is still being used?