Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 29 subscribers
  • Views 30234 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Turning off Sophos XG DNS server stops resolution of hostname (using external DNS server)?

shred

I'm using Sophos XG as my DHCP server but a separate device (Pi-hole) as my DNS server. Everything works fine and Pi-hole is functioning as expected. However, if I shut down the Sophos XG DNS service, I can no longer access any websites (i.e. no longer able to resolve hostnames). Why is this the case if I'm not using the Sophos XG DNS server? There is a thread here on reddit where a user was able to get it to work only by also using a separate DHCP server. I'm using CloudFlare (1.1.1.1 & 1.0.0.0) as my Upstream DNS servers in Pi-hole, so the Sophos XG DNS server should not be utilized at all.



This thread was automatically locked due to age.
Parents
  • 0

    I assume, you are giving the Devices the Pi-Hole as DNS server as DNS server, correct? Do you use a second DNS server?

    The PI-hole uses the XG or a internet based DNS server? 

    Do you have a firewall policy for the second case? And does the firewall rule match? 

  • 0 in reply to LuCar Toni

    Correct, I have the DHCP server (Sophos XG) assigning all clients Pi-hole as the DNS server. I renewed the DHCP lease and verified the devices have the Pi-hole set as the DNS server.

    Pi-hole is using Cloudflare as the Upstream DNS server (internet based).

    I do have a Firewall Policy that allows DNS out. In fact, I also have an "Allow All" firewall rule.

    As mentioned previously, everything works fine except when I stop the Sophos XG DNS server, which I shouldn't be using.

  • 0 in reply to LuCar Toni

    Here's about 5-10 seconds tcpdump. I tried to access a website from my web browser (did not work) and I also did a DNS look up from Sophos XG (this actually did work).

    The computer IP address I'm using is 172.16.16.85. My Sophos XG is 172.16.16.16 and Pi-hole is 172.16.16.15. There's obviously a lot of other traffic going on from other devices on my network using DNS.

     

     

    [removed]

  • 0 in reply to shred

    I also did tcpdump host 172.16.16.15 (Pi-hole) with the Sophos XG DNS server off and tried to access some websites which did not resolve:

     

    [removed]

  • 0 in reply to shred

    Can you please do only

    tcpdump -ni any port 53 and host 1.1.1.1 

    And both outputs with enable and disable please. 

  • 0 in reply to LuCar Toni

    Here is with Sophos XG DNS server on:

     

    [removed] 

    Here is with Sophos XG DNS server off (attempted to access 4-5 different sites, did not work):

     

    [removed]

  • 0 in reply to shred

    Do you point the XG at your pi-hole DNS?

    Ian

  • 0 in reply to rfcat_vk

    Are you using the XG as web proxy? Because seems like the XG is doing the DNS request itself and if you turn it of, there are no requests from the client. 

    *edit* plus the .85 client seems to send broken requests, which the XG send correctly to 1.1.1.1

  • 0 in reply to LuCar Toni

    Yeah, I'm using HTTP scanning, HTTPS decrypt and scanning as well as web and application policies, which my understanding uses the Sophos XG web proxy. I added my computer to a firewall rule without any policies and scanning and with the Sophos XG DNS server turned off, it worked. So if the web proxy is enabled, the Sophos XG DNS server is still being used?

  • 0 in reply to shred

    Now you got me. I am a little bit struggling in this scenario.

    So basically there are two types of Proxy, direct (standard) and transparent. 

    Clearly if you use direct/standard proxy (which needs to have XG in the browser enabled), the XG will perform the DNS request.

    In transparent proxy (So no configuration in browser), the DNS request should be done by the client via DNS server. 

    At this point i am still not sure, if your DNS server is correct configured and if the requests are correctly. The dumps shows you the "real" packets. And those seems to be invalid coming from your DNS server. At this point no XG module took place because it is the packet at Arrival to the XG LAN interface. All requests of .85 are invalid. 

     

     

  • 0 in reply to LuCar Toni

    I'm using a transparent proxy. I did not configure any of my web browsers to use a proxy. But like I mentioned, when I add my computer to a firewall rule with no policies or scanning (i.e. not using the web proxy), I'm able to resolve hostnames with the Sophos XG DNS server off. It appears to me that if a device is using a firewall rule that uses the web proxy, the DNS requests seem to require the Sophos XG DNS server, which I don't quite understand since my devices are using an external DNS (Pi-hole). The even stranger part is my Pi-hole is using a firewall rule that DOES have policies in use, so it should be going through the Sophos XG web proxy. Here's the various scenarios I tried:

    Computer using web proxy, Pi-hole (DNS server) using web proxy, Sophos XG DNS off = cannot resolve hostnames

    Computer using web proxy, Pi-hole not using web proxy, Sophos XG DNS off = cannot resolve host names

    Computer not using web proxy, Pi-hole using web proxy, Sophos XG DNS off = can resolve hostnames

     

    Some additional information - with the Sophos XG DNS server off but my computer not using a web proxy (firewall rule with no scanning or policies), this is what I'm seeing running:

    tcpdump -ni any port 53 and host 1.1.1.1

    17:21:02.407005 Port1, IN: IP 172.16.16.20.52594 > 1.1.1.1.53: 45961+ AAAA? bcap15.brightcloud.com. (40)
    17:21:02.407121 Port2, OUT: IP MY_IP_ADDRESS.52594 > 1.1.1.1.53: 44450+ A? bcap15.brightcloud.com. (40)
    17:21:02.407388 Port2, OUT: IP MY_IP_ADDRESS.52594 > 1.1.1.1.53: 45961+ AAAA? bcap15.brightcloud.com. (40)
    17:21:02.463456 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.52594: 44450 2/0/0[|domain]
    17:21:02.463611 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.52594: 44450 2/0/0[|domain]
    17:21:02.489651 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.52594: 45961 0/1/0 (118)
    17:21:02.489790 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.52594: 45961 0/1/0 (118)
    17:21:25.035834 Port1, IN: IP 172.16.16.20.58633 > 1.1.1.1.53: 3047+ A? bcap15.brightcloud.com. (40)
    17:21:25.036007 Port2, OUT: IP MY_IP_ADDRESS.58633 > 1.1.1.1.53: 3047+ A? bcap15.brightcloud.com. (40)
    17:21:25.036090 Port1, IN: IP 172.16.16.20.58633 > 1.1.1.1.53: 4966+ AAAA? bcap15.brightcloud.com. (40)
    17:21:25.036183 Port2, OUT: IP MY_IP_ADDRESS.58633 > 1.1.1.1.53: 4966+ AAAA? bcap15.brightcloud.com. (40)
    17:21:25.087215 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.58633: 3047 2/0/0[|domain]
    17:21:25.087393 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.58633: 3047 2/0/0[|domain]
    17:21:25.087562 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.58633: 4966 0/1/0 (118)
    17:21:25.091994 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.58633: 4966 0/1/0 (118)
    17:21:44.290859 Port1, IN: IP 172.16.16.20.44635 > 1.1.1.1.53: 56174+ A? bcap15.brightcloud.com. (40)
    17:21:44.291046 Port2, OUT: IP MY_IP_ADDRESS.44635 > 1.1.1.1.53: 56174+ A? bcap15.brightcloud.com. (40)
    17:21:44.291097 Port1, IN: IP 172.16.16.20.44635 > 1.1.1.1.53: 57983+ AAAA? bcap15.brightcloud.com. (40)
    17:21:44.291157 Port2, OUT: IP MY_IP_ADDRESS.44635 > 1.1.1.1.53: 57983+ AAAA? bcap15.brightcloud.com. (40)
    17:21:44.338663 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.44635: 56174 2/0/0[|domain]
    17:21:44.338761 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.44635: 56174 2/0/0[|domain]
    17:21:44.369453 Port2, IN: IP 1.1.1.1.53 > MY_IP_ADDRESS.44635: 57983 0/1/0 (118)
    17:21:44.369508 Port1, OUT: IP 1.1.1.1.53 > 172.16.16.20.44635: 57983 0/1/0 (118)

     

    I accessed about 5-6 websites that weren't cached in my external DNS server (Pi-hole). They all resolved just fine. The weird part is I don't think any of these log messages are from when I was accessing websites because normally I see a ton of entries as the website is loading and none of the domains above match the websites I was accessing.

    When I turn off the Sophos XG DNS server and my computer is using the web proxy, still with an external DNS (Pi-hole), I'm seeing this message when I try to access websites:

  • 0 in reply to shred

    I would take a deeper look at the DNS Server. From my point of view, he is causing this issue. The DNS requests from him are invalid. 

Reply Children
  • 0 in reply to LuCar Toni

    Here are some captures using tcpdump -ni any port 53. All of these are using an external DNS which is Pi-hole with an IP address of 172.16.16.15 using an Upstream DNS of 9.9.9.9 (primary) and 149.112.112.112 (secondary); both are Quad9 DNS service. I've only included log entries that had the URL I was trying to access.

     

    Sophos XG DNS on, Web Proxy on - accessing www.macrumors.com and everything is working normally:

    08:49:13.092360 Port1, IN: IP 172.16.16.15.44454 > 9.9.9.9.53: 27200+ A? www.macrumors.com. (35)
    08:49:13.092557 Port2, OUT: IP MY_ISP_IP.44454 > 9.9.9.9.53: 27200+ A? www.macrumors.com. (35)
    08:49:13.315790 lo, IN: IP 127.0.0.1.59978 > 127.0.0.1.53: 35732+ A? www.macrumors.com. (35)
    08:49:13.315868 Port1, OUT: IP 172.16.16.16.37285 > 172.16.16.15.53: 24977+ A? www.macrumors.com. (35)

    This looks as I'd expect. You can see the request entering Port 1 (LAN) on Sophos XG and being sent out on Port 2 (WAN) to 9.9.9.9. I'm not sure what the third entry is with a 'lo' interface and it bouncing between 127.0.0.1 (localhost). I'm assuming that's something internal on Sophos XG? But the last entry shows what I believe is the DNS response that eventually gets sent back to Pi-hole from Sophos XG.

     

    Sophos XG DNS off, Web Proxy on - accessing www.microsoft.com and I can't access any websites:

    08:57:05.667123 Port1, IN: IP 172.16.16.15.14980 > 149.112.112.112.53: 29452+ A? www.microsoft.com. (35)
    08:57:05.667302 Port2, OUT: IP MY_ISP_IP.14980 > 149.112.112.112.53: 29452+ A? www.microsoft.com. (35)
    08:57:05.808488 lo, IN: IP 127.0.0.1.59978 > 127.0.0.1.53: 41186+ A? www.microsoft.com. (35)
    08:57:14.119397 lo, IN: IP 127.0.0.1.59978 > 127.0.0.1.53: 41186+ A? www.microsoft.com. (35)
    08:57:19.127402 lo, IN: IP 127.0.0.1.59978 > 127.0.0.1.53: 41186+ A? www.microsoft.com. (35)

    The difference now is I don't see a request to 9.9.9.9 but instead 149.112.112.112. Then you can see it just sits inside the 'lo' interface and never sends anything back to Pi-hole from Sophos XG.

     

    Sophos XG DNS off, Web Proxy off - accessing www.sony.com and everything works normally:

    09:00:38.429178 Port1, IN: IP 172.16.16.15.64140 > 149.112.112.112.53: 44668+ A? www.sony.com. (30)
    09:00:38.429367 Port2, OUT: IP MY_ISP_IP.64140 > 149.112.112.112.53: 44668+ A? www.sony.com. (30)

    It looks similar to above (Sophos XG DNS off, Web Proxy on) except I don't see anything on the 'lo' interface. I also never see anything going back to Pi.hole (172.16.16.15) like in the very first example (Sophos XG DNS on, Web Proxy on).

     

    I'm not sure what to make of this but here's what I do know:

    • Everything works fine with Sophos XG DNS enabled.
    • When I disable Sophos XG DNS, I cannot resolve hostnames but Sophos XG is still receiving and sending the DNS request.
    • If I turn off the web proxy WITH Sophos XG DNS still off, it starts working again.

    This leads me to believe the issue is with Sophos XG, not Pi-hole.

  • 0 in reply to shred

    Here's another example with Sophos XG DNS off and the Web Proxy on, except I let it try to resolve for longer and this includes some of the log entries around www.lexus.com as well. I also setup Pi-hole to only use 9.9.9.9 (removed 149.112.112.112 as secondary Upstream DNS). Again, I could not resolve any websites:

    09:37:09.694697 Port1, IN: IP 172.16.16.15.35875 > 9.9.9.9.53: 59871+ A? www.lexus.com. (31)
    09:37:09.694856 Port2, OUT: IP MY_ISP_IP.35875 > 9.9.9.9.53: 59871+ A? www.lexus.com. (31)
    09:37:09.802537 Port2, IN: IP 9.9.9.9.53 > MY_ISP_IP.35875: 59871 5/0/0 CNAME[|domain]
    09:37:09.802657 Port1, OUT: IP 9.9.9.9.53 > 172.16.16.15.35875: 59871 5/0/0 CNAME[|domain]
    09:37:10.012858 lo, IN: IP 127.0.0.1.47058 > 127.0.0.1.53: 6774+ A? www.lexus.com. (31)
    09:37:10.570539 Port1, IN: IP 172.16.16.15.11276 > 9.9.9.9.53: 27862+[|domain]
    09:37:10.570710 Port2, OUT: IP MY_ISP_IP.11276 > 9.9.9.9.53: 27862+[|domain]
    09:37:16.903419 lo, IN: IP 127.0.0.1.47058 > 127.0.0.1.53: 6774+ A? www.lexus.com. (31)
    09:37:21.911466 lo, IN: IP 127.0.0.1.47058 > 127.0.0.1.53: 6774+ A? www.lexus.com. (31)

    Same as mentioned before, nothing works and I never see anything going back to Pi-hole (172.16.16.15) because I suspect Sophos XG isn't getting a valid response from Quad9. That seems to be the common theme:

    • Sophos XG DNS on and Web Proxy on, URLs resolve, there is a log entry of Port1, OUT: IP 172.16.16.16.63792 > 172.16.16.15.53
    • Sophos XG DNS off and Web Proxy on, URLs do not resolve, there is no log entry as described above.
    • Sophos XG DNS off and Web Proxy off, URLs resolve, there is no log entry as described above.

    The weird part is how come URLs resolve with Sophos XG DNS off and the Web Proxy off, but I'm not seeing that "Port 1, OUT" log entry from Sophos XG to Pi-hole?

  • +1 in reply to shred

    Next guess from my site: Do you use Pharming Protection?

    https://community.sophos.com/kb/en-us/132634

    This is another feature which requires DNS on XG. 

    But i still do not completely understand, what you try to archive? 

    And another point is: What do you exactly mean with "DNS on XG off". What do you disable? 

  • +1 in reply to LuCar Toni

    That was it - if I disable 'Pharming Protection', everything works fine. So basically if your clients are using a firewall rule that has packets going through the Web Proxy and Pharming Protection is enabled, the Sophos XG DNS server must be running in order for Pharming Protection to work even if you're using an external DNS server. In other words, it appears Pharming Protection cannot use an external DNS server.

    I wasn't necessarily trying to achieve anything, but trying to understand why if my Sophos XG DNS server is off, I wasn't able to resolve any URLs when I'm using an external DNS server.

    What I meant by the Sophos XG DNS server off is I would go to System Services -> Services and Stop the DNS Server.

    Edit: Looking at the Sophos documentation on Pharming Protection, line 5 under 'Pharming protection enabled' states "If they are allowed to reach this host, the firewall will then re-resolve the host <domain.com> using its DNS configuration." If the above is true, wouldn't it be better to re-write the last part as "uses the Sophos XG DNS server" because it doesn't appear to be using the DNS configuration (that sounds like what would be set in the DNS settings section which would mean I could point it to an external DNS server). Perhaps putting a note in the Help documentation as well that states the Sophos XG DNS server must be running for this function to work.