DNS host entry not working as intended? XG 17.5

Now, it simply doesn't work.

I think I haven't encounter a single pannel in sophos XG configuration bug free, even the most basic stuff fail. Enterprise grade firewall...

Any clue why Sophos XG doesn't want to fordward that domain to the local IP and still resolves the domain with 1.1.1.1?

So I edit the host entry, apply, reboot, it works, after 20 min or so, stop working, I cant resolve the domain from different PC's smartphones, or browsers.

Same setting works in Pfsense, without rebooting (I have just tried) and in fortios aswell (I have tried this in the past)

EDIT: a colleage who is as well testing Sophos XG for its company has exactly the same issue, at least I'm not the only one.

So I edit the host entry, apply, reboot, it works, after 20 min or so, stop working, I cant resolve the domain from different PC's smartphones, or browsers.

Same setting works in Pfsense, without rebooting (I have just tried) and in fortios aswell (I have tried this in the past)

EDIT: a colleage who is as well testing Sophos XG for its company has exactly the same issue, at least I'm not the only one.

Hi,

I modified my XG because you made me realise why I was not able to access my XG during an internet outage. What DNS do you internal devices use?

Ian

One thing I did notice was I needed to create another certificate for the internal address otherwise FF and Safari get upset and require exceptions to be added.

My computers are resolving with 1.1.1.1 (leased by dhcp server) as far as I know the purpose of DNS host entry settings is to override this, and every time that domain is called locally resolve it with the local address I choose.

This works in pfsense/opnsense, fortigate, and I have setup a dnsmasq server aswell configure it properly and it works, even if my PC is trying to resolve the address with 1.1.1.1.

The worst thing is that If I reboot the firewall it works properly for a while, the local address is resolved but then it comes back to resolve wrong the address.

The certificates aren't the issue here.

As far as I know this isn't the case. Your devices have to use the XG as nameserver so the XG has to be pushed to the clients by the DHCP server. 

I don't have any problems with the host entry feature with this setup. 

Regards,

Andreas

Hi l0rdraiden,

you have turned off DNS over HTTP?

I had this problem where the browser was trying resolve (using the browsers internal DNS over HTTP mechanism), this may be causing some issues.

You mean that I should choose my Sophos Firewall XG IP as the only DNS server here?

Then how Sophos XG is going to resolve external domains? it will fail.

And why it works for a while after reboot If I'm configuring it wrongly. And why it works with other firewalls? DNS Host entries should override everthing else.

No, the configuration in the XG is ok. Your clients should use your XG as DNS server. Maybe I got you wrong but it sounds to me that your clients also use 1.1.1.1 or 1.0.0.1 as DNS servers. 

The DNS server in the XG is a pretty simple one which only should be used in very small environments. I'm ok with that because many people will use their windows domain controller as DNS server. Therefore to improve the DNS server isn't high priority at Sophos I guess. 

Thanks, it worked, I must be stupid not figuring this out before xD

You beat me to it.

Ian