This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG as DNS server (for local entries) and forwarder (for public entries)

Hi!

Recently I implemented my Sophos XG as local DNS server, but it does not resolve public DNS names.

My setup is that I have some router working as DHCP server. Sophos is "work in progress", with WAN interface on the same subnet as router. It also has LAN interface (but LAN is not in use yet, until all services I need work fine)

Some details:

LAN is 192.168.1.0/24
Router: 192.168.1.1
Sophos XG working as DNS server: 192.168.1.5 (on it's WAN interface)

Sophos does resolve public and local names, config below:

Public works:

Local works:

While on my PC connected, only local DNS works:

C:\Users\Shadow>ping mcrosoft.com

^C

C:\Users\Shadow>ping vcenter.home

Pinging vcenter.home [192.168.1.7] with 32 bytes of data:

Reply from 192.168.1.7: bytes=32 time=2ms TTL=64

Ping statistics for 192.168.1.7:

Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 2ms, Maximum = 2ms, Average = 2ms

C:\Users\Shadow>nslookup microsoft.com

Server: sophos-out.home

Address: 192.168.1.5

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to sophos-out.home timed-out

C:\Users\Shadow>nslookup vcenter.home

Server: sophos-out.home

Address: 192.168.1.5

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

Non-authoritative answer:

DNS request timed out.

timeout was 2 seconds.

Name: vcenter.home

Address: 192.168.1.7

I think FW rules should be ok.

But it doesn’t work.

How to make Sophos to resolve local DNS entries and work as public DNS forwarder?

This thread was automatically locked due to age.

Top Replies

rfcat_vk over 2 years ago in reply to Shadow82 +1 suggested

Hi, you do not want to publish a 'none routable address' on your external interface. Does your DHCP server have the LAN interface as its DNS? You need google DNS on your Network DNS entries, not on your…

Parents

0 rfcat_vk over 2 years ago

Hi,

you do not need the DNS on your WAN acl.

The XG will not resolve internal devices unless you create them in the XG, not just DHCP entries.

When testing, make at least two or more calls because the XG takes time to update its tables after your first call.

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 2 years ago

Hi,

you do not need the DNS on your WAN acl.

The XG will not resolve internal devices unless you create them in the XG, not just DHCP entries.

When testing, make at least two or more calls because the XG takes time to update its tables after your first call.

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Shadow82 over 2 years ago in reply to rfcat_vk

Thanks for answer

I removed DNS from WAN ACL as suggested:

Sophos XG does have DNS entries added, example below:

Now 2 scenarios: With Sophos DNS only and Sophos + Google DNS

When I set Sohpos DNS only

I do not resolve anything using ping and only private DNS entries using nslookup:

C:\Users\Shadow>ipconfig /renew *WiFi*

C:\Users\Shadow>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Shadow>ping microsoft.com

Ping request could not find host microsoft.com. Please check the name and try ag

ain.

PCAP: https://drive.google.com/file/d/1HUl7vNuMatl4VAUNmTlU52KZga-VoI7t/view?usp=sharing

C:\Users\Shadow>ping vcenter.home

Ping request could not find host vcenter.home. Please check the name and try aga

in.

PCAP: https://drive.google.com/file/d/1ZQSYmpRpxTGtUDmWnwd6mn8zjkeGyWpj/view?usp=sharing

C:\Users\Shadow>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Shadow>nslookup microsoft.com

Server: sophos-out.home

Address: 192.168.1.5

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to sophos-out.home timed-out

PCAP: https://drive.google.com/file/d/1j2gDcaK4tTd9f-ylClS71xDyH6ctA7Tj/view?usp=sharing

C:\Users\Shadow>nslookup vcenter.home

Server: sophos-out.home

Address: 192.168.1.5

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

Non-authoritative answer:

DNS request timed out.

    timeout was 2 seconds.

Name:    vcenter.home

Address: 192.168.1.7

PCAP: https://drive.google.com/file/d/1HmBp9vNDw2yTkOlzD5rPKkYYGloZQPlh/view?usp=sharing

When I set Sophos and Google DNS

I resolve public entries with ping only and private entries with nslookup only:

C:\Users\Shadow>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Shadow>ping microsoft.com

Pinging microsoft.com [20.112.52.29] with 32 bytes of data:

Request timed out.

Ping statistics for 20.112.52.29:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Control-C

^C

PCAP: https://drive.google.com/file/d/1mQid0mjIb1EeaaqOhUHyl9TWYlJeeeJF/view?usp=sharing

C:\Users\Shadow>ping vcenter.home

Ping request could not find host vcenter.home. Please check the name and try aga

in.

PCAP: https://drive.google.com/file/d/19R-YcwTswv5wKu3pN68FovILcEwbJZ9I/view?usp=sharing

C:\Users\Shadow>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Shadow>nslookup microsoft.com

Server: sophos-out.home

Address: 192.168.1.5

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to sophos-out.home timed-out

PCAP: https://drive.google.com/file/d/10owgfsUXWK5f7ZABBkTQBP5DXxA5fNry/view?usp=sharing

C:\Users\Shadow>nslookup vcenter.home

Server: sophos-out.home

Address: 192.168.1.5

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

Non-authoritative answer:

DNS request timed out.

    timeout was 2 seconds.

Name:    vcenter.home

Address: 192.168.1.7

PCAP: https://drive.google.com/file/d/1csBeIElefck-j06-6CRfhMVWkQzv25dj/view?usp=sharing

Summary

With Sophos DNS only I do not resolve nothing using ping and resolve private DNS entries using nslookup

With Sophos and Google DNS set I resolve public entries only using ping and private entries only using nslookup.

I don't see relationship here - ping and nslookup should query DNS server for entry x similar way, but they don't behave like that...

In the end of the day if I set Sophos DNS only, I can use web services on my LAN only - Internet goes down ;-D

If Iset Sophos and Google DNS - I can use Internet only ;)

some format corrections
[edited by: Shadow82 at 6:35 AM (GMT -7) on 1 Aug 2022]
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to Shadow82

Hi,

you do not want to publish a 'none routable address' on your external interface. Does your DHCP server have the LAN interface as its DNS? You need google DNS on your Network DNS entries, not on your PC.

Do you have a firewall rule allowing DNS out.

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel

Sophos XG as DNS server (for local entries) and forwarder (for public entries)

Top Replies

When I set Sohpos DNS only

When I set Sophos and Google DNS

Summary

Submitted a Tech Support Case lately from the Support Portal?