Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 29 subscribers
  • Views 30234 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Turning off Sophos XG DNS server stops resolution of hostname (using external DNS server)?

shred

I'm using Sophos XG as my DHCP server but a separate device (Pi-hole) as my DNS server. Everything works fine and Pi-hole is functioning as expected. However, if I shut down the Sophos XG DNS service, I can no longer access any websites (i.e. no longer able to resolve hostnames). Why is this the case if I'm not using the Sophos XG DNS server? There is a thread here on reddit where a user was able to get it to work only by also using a separate DHCP server. I'm using CloudFlare (1.1.1.1 & 1.0.0.0) as my Upstream DNS servers in Pi-hole, so the Sophos XG DNS server should not be utilized at all.



This thread was automatically locked due to age.
Parents
  • 0

    I assume, you are giving the Devices the Pi-Hole as DNS server as DNS server, correct? Do you use a second DNS server?

    The PI-hole uses the XG or a internet based DNS server? 

    Do you have a firewall policy for the second case? And does the firewall rule match? 

  • 0 in reply to LuCar Toni

    Correct, I have the DHCP server (Sophos XG) assigning all clients Pi-hole as the DNS server. I renewed the DHCP lease and verified the devices have the Pi-hole set as the DNS server.

    Pi-hole is using Cloudflare as the Upstream DNS server (internet based).

    I do have a Firewall Policy that allows DNS out. In fact, I also have an "Allow All" firewall rule.

    As mentioned previously, everything works fine except when I stop the Sophos XG DNS server, which I shouldn't be using.

  • 0 in reply to shred

    Lets take a look at the connection. 

    Disable the DNS ACL and perform a DNS lookup. It should open a connection to cloudflare. 

    Next step: Perform a dump on shell (Advanced Shell 5 - 3) 

    tcpdump -ni any port 53 

    Can you post this ? 

Reply Children
  • 0 in reply to LuCar Toni

    Here's about 5-10 seconds tcpdump. I tried to access a website from my web browser (did not work) and I also did a DNS look up from Sophos XG (this actually did work).

    The computer IP address I'm using is 172.16.16.85. My Sophos XG is 172.16.16.16 and Pi-hole is 172.16.16.15. There's obviously a lot of other traffic going on from other devices on my network using DNS.

     

     

    [removed]

  • 0 in reply to shred

    I also did tcpdump host 172.16.16.15 (Pi-hole) with the Sophos XG DNS server off and tried to access some websites which did not resolve:

     

    [removed]

  • 0 in reply to shred

    Can you please do only

    tcpdump -ni any port 53 and host 1.1.1.1 

    And both outputs with enable and disable please. 

  • 0 in reply to LuCar Toni

    Here is with Sophos XG DNS server on:

     

    [removed] 

    Here is with Sophos XG DNS server off (attempted to access 4-5 different sites, did not work):

     

    [removed]

  • 0 in reply to shred

    Do you point the XG at your pi-hole DNS?

    Ian

  • 0 in reply to rfcat_vk

    Are you using the XG as web proxy? Because seems like the XG is doing the DNS request itself and if you turn it of, there are no requests from the client. 

    *edit* plus the .85 client seems to send broken requests, which the XG send correctly to 1.1.1.1

  • 0 in reply to LuCar Toni

    Yeah, I'm using HTTP scanning, HTTPS decrypt and scanning as well as web and application policies, which my understanding uses the Sophos XG web proxy. I added my computer to a firewall rule without any policies and scanning and with the Sophos XG DNS server turned off, it worked. So if the web proxy is enabled, the Sophos XG DNS server is still being used?

  • 0 in reply to shred

    Now you got me. I am a little bit struggling in this scenario.

    So basically there are two types of Proxy, direct (standard) and transparent. 

    Clearly if you use direct/standard proxy (which needs to have XG in the browser enabled), the XG will perform the DNS request.

    In transparent proxy (So no configuration in browser), the DNS request should be done by the client via DNS server. 

    At this point i am still not sure, if your DNS server is correct configured and if the requests are correctly. The dumps shows you the "real" packets. And those seems to be invalid coming from your DNS server. At this point no XG module took place because it is the packet at Arrival to the XG LAN interface. All requests of .85 are invalid. 

     

     

  • 0 in reply to LuCar Toni

    I'm using a transparent proxy. I did not configure any of my web browsers to use a proxy. But like I mentioned, when I add my computer to a firewall rule with no policies or scanning (i.e. not using the web proxy), I'm able to resolve hostnames with the Sophos XG DNS server off. It appears to me that if a device is using a firewall rule that uses the web proxy, the DNS requests seem to require the Sophos XG DNS server, which I don't quite understand since my devices are using an external DNS (Pi-hole). The even stranger part is my Pi-hole is using a firewall rule that DOES have policies in use, so it should be going through the Sophos XG web proxy. Here's the various scenarios I tried:

    Computer using web proxy, Pi-hole (DNS server) using web proxy, Sophos XG DNS off = cannot resolve hostnames

    Computer using web proxy, Pi-hole not using web proxy, Sophos XG DNS off = cannot resolve host names

    Computer not using web proxy, Pi-hole using web proxy, Sophos XG DNS off = can resolve hostnames

     

    Some additional information - with the Sophos XG DNS server off but my computer not using a web proxy (firewall rule with no scanning or policies), this is what I'm seeing running:

    tcpdump -ni any port 53 and host 1.1.1.1

    17:21:02.407005 Port1, IN: IP 172.16.16.20.52594 > 1.1.1.1.53: 45961+ AAAA? bcap15.brightcloud.com. (40)
    17:21:02.407121 Port2, OUT: IP MY_IP_ADDRESS.52594 > 1.1.1.1.53: 44450+ A? bcap15.brightcloud.com. (40)
    17:21:02.407388 Port2, OUT: IP MY_IP_ADDRESS.52594 > 1.1.1.1.53: 45961+ AAAA? bcap15.brightcloud.com. (40)
    17:21:02.463456 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.52594: 44450 2/0/0[|domain]
    17:21:02.463611 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.52594: 44450 2/0/0[|domain]
    17:21:02.489651 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.52594: 45961 0/1/0 (118)
    17:21:02.489790 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.52594: 45961 0/1/0 (118)
    17:21:25.035834 Port1, IN: IP 172.16.16.20.58633 > 1.1.1.1.53: 3047+ A? bcap15.brightcloud.com. (40)
    17:21:25.036007 Port2, OUT: IP MY_IP_ADDRESS.58633 > 1.1.1.1.53: 3047+ A? bcap15.brightcloud.com. (40)
    17:21:25.036090 Port1, IN: IP 172.16.16.20.58633 > 1.1.1.1.53: 4966+ AAAA? bcap15.brightcloud.com. (40)
    17:21:25.036183 Port2, OUT: IP MY_IP_ADDRESS.58633 > 1.1.1.1.53: 4966+ AAAA? bcap15.brightcloud.com. (40)
    17:21:25.087215 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.58633: 3047 2/0/0[|domain]
    17:21:25.087393 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.58633: 3047 2/0/0[|domain]
    17:21:25.087562 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.58633: 4966 0/1/0 (118)
    17:21:25.091994 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.58633: 4966 0/1/0 (118)
    17:21:44.290859 Port1, IN: IP 172.16.16.20.44635 > 1.1.1.1.53: 56174+ A? bcap15.brightcloud.com. (40)
    17:21:44.291046 Port2, OUT: IP MY_IP_ADDRESS.44635 > 1.1.1.1.53: 56174+ A? bcap15.brightcloud.com. (40)
    17:21:44.291097 Port1, IN: IP 172.16.16.20.44635 > 1.1.1.1.53: 57983+ AAAA? bcap15.brightcloud.com. (40)
    17:21:44.291157 Port2, OUT: IP MY_IP_ADDRESS.44635 > 1.1.1.1.53: 57983+ AAAA? bcap15.brightcloud.com. (40)
    17:21:44.338663 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.44635: 56174 2/0/0[|domain]
    17:21:44.338761 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.44635: 56174 2/0/0[|domain]
    17:21:44.369453 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.44635: 57983 0/1/0 (118)
    17:21:44.369508 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.44635: 57983 0/1/0 (118)

     

    I accessed about 5-6 websites that weren't cached in my external DNS server (Pi-hole). They all resolved just fine. The weird part is I don't think any of these log messages are from when I was accessing websites because normally I see a ton of entries as the website is loading and none of the domains above match the websites I was accessing.

    When I turn off the Sophos XG DNS server and my computer is using the web proxy, still with an external DNS (Pi-hole), I'm seeing this message when I try to access websites:

  • 0 in reply to shred

    I would take a deeper look at the DNS Server. From my point of view, he is causing this issue. The DNS requests from him are invalid.