This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NXDOMAIN from DNS for local records

Hi All,

I'm getting hostname resolution failures from docker containers for local DNS records; they seem unable to handle a rather strange response from the Sophos Firewall DNS service.

As far as I can tell, the problem is that the DNS server returns a correct, non-authoritative answer but then also says 'NXDOMAIN'! I'm stumped as to why it would say 'non-existent domain' when it has just successfully resolved the name from an internal DNS record.

I see the same response pattern from other systems, so it's not a docker issue.

The Sophos Firewall is the sole DNS server on the LAN and its domain is the same one as the smtp server being looked up here. Any internal host with a DNS record set up in the Firewall will get the same result - a correct response, followed by 'NXDOMAIN'.

netadmin@adminserver:~$ nslookup smtp.b****e.net
Server: 192.168.11.1
Address: 192.168.11.1#53

Non-authoritative answer:
Name: smtp.b****e.net
Address: 192.168.11.1
** server can't find smtp.b****e.net: NXDOMAIN

Even on the XG console, I get same strange combo of answers:

console> dnslookup host smtp.b****e.net                                         
Domain Name Server#  127.0.0.1                                                  
Domain Name       #  smtp.b****e.net                                            
Resolved Address 1#  192.168.11.1                                               
Total query time  #  0.11 msec                                                  
can't resolve 'smtp.b****e.net'

The DNS record looks like this:

smtp.b****e.net 192.168.11.1 TTL 60 weight 1 publish to WAN No reverse DNS No

Some of the others have reverse DNS lookup on; makes no difference.

The only internal host I can query without getting 'NXDOMAIN', is the firewall's primary name:

netadmin@adminserver:~$ nslookup gateway
Server: 192.168.11.1
Address: 192.168.11.1#53

Non-authoritative answer:
Name: gateway.b****e.net
Address: 192.168.8.1
Name: gateway.b****e.net
Address: 192.168.11.1

If I look up something that forces it to go to an upstream DNS server, it's fine:

netadmin@adminserver:~$ nslookup ns1.google.com
Server: 192.168.11.1
Address: 192.168.11.1#53

Non-authoritative answer:
Name: ns1.google.com
Address: 216.239.32.10
Name: ns1.google.com
Address: 2001:4860:4802:32::a

Why the NXDOMAIN? Can I stop that happening?

Thanks!

This thread was automatically locked due to age.

Parents

0 Raphael Alganes over 2 years ago

Hello there,

Good day and thanks for reaching out to Sophos Community, hope you are well.

Is your DNS settings on Sophos Firewall comes from ISP? If yes, Could you try changing to a public DNS and see if this would still occur?

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Raphael Alganes over 2 years ago

Hello there,

Good day and thanks for reaching out to Sophos Community, hope you are well.

Is your DNS settings on Sophos Firewall comes from ISP? If yes, Could you try changing to a public DNS and see if this would still occur?

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 JeffThompson over 2 years ago in reply to Raphael Alganes

Hi Raphael,

That makes no difference - as I would expect.
SF should return the result from its local DNS record list, which the documentation says is checked before any upstream servers, then stop, job done. Instead, it's returning that local record, but then also trying something else that causes the NXDOMAIN.

I tried an experiment: I created a local DNS record for one of my hosts that also has a public DNS entry. SF console dnslookup for that host returned the local record (LAN IP of the host), without any 'not found' issue. From this experiment, it appears that SF queries the local list first (correct) but instead of stopping there when it finds a match, it goes on to query the upstream DNS servers (incorrect behavoiur), resulting in the 'NXDOMAIN' response.
Cancel
Vote Up 0 Vote Down

Cancel
0 JeffThompson over 2 years ago in reply to JeffThompson

Did some more testing. If I create a public DNS record for the smtp server, with the private LAN IP (192.168.11.1) then there is no 'NXDOMAIN' when I query the FQDN smtp.xxxx.net. So, I conclude that Sophos FW is querying the upstream public DNS when it does not need to and is returning 'NXDOMAIN' when there is no upstream record, in addition to returning the correct local DNS record.

This - giving both a result and a failure to the client - seems to be an undesirable behaviour - i.e., a bug. Raphael Alganes , where should I raise this as a bug report?
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 2 years ago in reply to JeffThompson

Hello there,

If you think this is an issue, please open a ticket with support using the Support Portal.

Once you have the Case ID, please share it with us.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel