Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG as DNS server doesn't respond to DNS queries on WAN interface

Shadow82

Hi!

I installed Sophos XG VM in my home and I'm testing it and probably will use it for my home net and lab.

Sophos runs as a VM on my homelab server.

I have 2 ubnets there:

1. 192.168.1.0/24 - called Outside wih FW WAN interface attached to it. As this is my LAN since forever, I still have most of physical stuff there (laptops, smartphones, vacuum, etc.)

2. 192.168.2.0/24 - called Inside with FW LAN interface attached. This subnet will be used for public servers I'll deploy. Maybe even everthing.

I used Rasp PI4 as my home DNS server and I want to move this task to Sophos FW.

After creating DNS entries and adding FW rule allowing DNS queries, my endpoints in Inside subnet can query Sophos but PCs in Outside subnet see only timeouts:

C:\Users\Shadow>nslookup vcenter.home 192.168.1.5
Server: sophos_out.home
Address: 192.168.1.5

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available
for vcenter.home

What am I missing here?

Below I paste my config screens.

I see nothing in logs and the rule does not get any hits.

Raspberry which is in Outside LAN gets timeouts:

pi@RaspberryPI:~ $ nslookup vcenter 192.168.1.5
Server: 192.168.1.5
Address: 192.168.1.5#53

Non-authoritative answer:
;; connection timed out; no servers could be reached

tcpdump shows like Sophos is trying to ask external DNS servers (while it has that entry configured)

SF01V_SO01_SFOS 18.5.2 MR-2-Build380# tcpdump -n -i Port2 host 192.168.1.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Port2, link-type EN10MB (Ethernet), capture size 262144 bytes
18:38:47.718764 Port2, IN: IP 192.168.1.2.53489 > 192.168.1.5.53: 64456+ A? vcenter.home. (30)
18:38:47.718965 Port2, OUT: IP 192.168.1.5.53 > 192.168.1.2.53489: 64456 0/0/0 (30)
18:38:47.720457 Port2, IN: IP 192.168.1.2.53260 > 192.168.1.5.53: 48833+ AAAA? vcenter.home. (30)
18:38:48.026122 Port2, OUT: IP 192.168.1.5.10773 > 192.168.1.2.53: 21632+ A? www.google.co.cr. (34)
18:38:48.026315 Port2, OUT: IP 192.168.1.5.20349 > 192.168.1.2.53: 19286+ A? www.google.hu. (31)
18:38:48.050778 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.20349: 19286 1/0/0 A 172.217.16.3 (47)
18:38:48.051513 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.10773: 21632 1/0/0 A 142.250.186.195 (50)
18:38:49.248080 Port2, OUT: IP 192.168.1.5.3013 > 192.168.1.2.53: 55936+ A? www.google.com.ag. (35)
18:38:49.325492 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.3013: 55936 1/0/0 A 142.250.75.3 (51)
18:38:51.071770 Port2, OUT: IP 192.168.1.5.19551 > 192.168.1.2.53: 47218+ A? e86303.dscx.akamaiedge.net. (44)
18:38:51.101439 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.19551: 47218 2/0/0 A 23.53.43.88, A 23.53.43.89 (76)
18:38:52.075028 Port2, OUT: IP 192.168.1.5.58256 > 192.168.1.2.53: 65152+ A? www.google.cg. (31)
18:38:52.115872 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.58256: 65152 1/0/0 A 216.58.209.3 (47)
18:38:52.720513 Port2, IN: IP 192.168.1.2.53260 > 192.168.1.5.53: 48833+ AAAA? vcenter.home. (30)
18:38:53.402455 Port2, OUT: IP 192.168.1.5.34668 > 192.168.1.2.53: 53644+ A? search.yahoo.com. (34)
18:38:53.406971 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.34668: 53644 2/0/0 CNAME ds-global3.l7.search.ystg1.b.yahoo.com., A 212.82.100.137 (93)
18:38:54.007096 Port2, OUT: IP 192.168.1.5.50918 > 192.168.1.2.53: 46985+ A? www.google.gm. (31)
18:38:54.007239 Port2, OUT: IP 192.168.1.5.13930 > 192.168.1.2.53: 52441+ A? www.google.co.ls. (34)
18:38:54.007395 Port2, OUT: IP 192.168.1.5.9163 > 192.168.1.2.53: 45042+ A? ds-global3.l7.search.ystg1.b.yahoo.com. (56)
18:38:54.007724 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.9163: 45042 1/0/0 A 212.82.100.137 (72)
18:38:54.013434 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.13930: 52441 1/0/0 A 172.217.20.163 (50)
18:38:54.036147 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.50918: 46985 1/0/0 A 216.58.215.99 (47)
18:38:55.228758 Port2, OUT: IP 192.168.1.5.24638 > 192.168.1.2.53: 64755+ A? www.google.com.co. (35)
18:38:55.228909 Port2, OUT: IP 192.168.1.5.7022 > 192.168.1.2.53: 26177+ A? www.google.com.uy. (35)
18:38:55.256317 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.24638: 64755 1/0/0 A 172.217.16.3 (51)
18:38:55.268611 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.7022: 26177 1/0/0 A 216.58.208.195 (51)
18:38:57.051900 Port2, OUT: IP 192.168.1.5.62105 > 192.168.1.2.53: 21261+ A? www.google.co.ls. (34)
18:38:57.080597 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.62105: 21261 1/0/0 A 142.250.203.195 (50)
18:38:57.720671 Port2, IN: IP 192.168.1.2.53260 > 192.168.1.5.53: 48833+ AAAA? vcenter.home. (30)
18:38:58.273230 Port2, OUT: IP 192.168.1.5.11035 > 192.168.1.2.53: 8050+ A? www.google.sc. (31)
18:38:58.314315 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.11035: 8050 1/0/0 A 172.217.20.163 (47)
18:38:59.076198 Port2, OUT: IP 192.168.1.5.45504 > 192.168.1.2.53: 40964+ A? www.google.com.sa. (35)
18:38:59.118294 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.45504: 40964 1/0/0 A 216.58.215.99 (51)
18:39:01.005038 Port2, OUT: IP 192.168.1.5.6363 > 192.168.1.2.53: 22419+ A? www.google.kg. (31)
18:39:01.029220 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.6363: 22419 1/0/0 A 216.58.209.3 (47)
18:39:06.090029 Port2, OUT: IP 192.168.1.5.28248 > 192.168.1.2.53: 36625+ A? www.google.nl. (31)
18:39:06.097414 Port2, IN: IP 192.168.1.2.53 > 192.168.1.5.28248: 36625 1/0/0 A 142.250.203.131 (47)
18:39:06.207617 Port2, IN: IP 192.168.1.7.63390 > 192.168.1.2.53: 13905+ [1au] A? vcenter.home. (53)
18:39:06.207955 Port2, IN: IP 192.168.1.2.53 > 192.168.1.7.63390: 13905* 1/0/1 A 192.168.1.7 (57)
18:39:06.208677 Port2, IN: IP 192.168.1.7.64610 > 192.168.1.2.53: 27041+ [1au] AAAA? vcenter.home. (53)
18:39:06.208983 Port2, IN: IP 192.168.1.2.53 > 192.168.1.7.64610: 27041 0/0/1 (41)
^C

When I try to do the same thing from VM in Inside LAN, Sophos replies correctly...

C:\Users\Shadow>nslookup vcenter.home 192.168.2.1
Server: sophos_in.home
Address: 192.168.2.1

Non-authoritative answer:
Name: vcenter.home
Address: 192.168.1.7

SF01V_SO01_SFOS 18.5.2 MR-2-Build380# tcpdump -n -i Port1 host 192.168.2.2 and port udp 53
tcpdump: can't parse filter expression: syntax error
SF01V_SO01_SFOS 18.5.2 MR-2-Build380# tcpdump -n -i Port1 host 192.168.2.2 and port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Port1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:44:25.850824 Port1, IN: IP 192.168.2.2.53288 > 192.168.2.1.53: 1+ PTR? 1.2.168.192.in-addr.arpa. (42)
18:44:25.851090 Port1, OUT: IP 192.168.2.1.53 > 192.168.2.2.53288: 1 1/0/0 PTR sophos_in.home. (70)
18:44:25.853549 Port1, IN: IP 192.168.2.2.53289 > 192.168.2.1.53: 2+ A? vcenter.home. (30)
18:44:25.853796 Port1, OUT: IP 192.168.2.1.53 > 192.168.2.2.53289: 2 1/0/0 A 192.168.1.7 (46)
18:44:25.855775 Port1, IN: IP 192.168.2.2.53290 > 192.168.2.1.53: 3+ AAAA? vcenter.home. (30)
18:44:25.856506 Port1, OUT: IP 192.168.2.1.53 > 192.168.2.2.53290: 3 0/0/0 (30)



This thread was automatically locked due to age.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?