Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 406 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NXDOMAIN from DNS for local records

JeffThompson

Hi All,

I'm getting hostname resolution failures from docker containers for local DNS records; they seem unable to handle a rather strange response from the Sophos Firewall DNS service.

As far as I can tell, the problem is that the DNS server returns a correct, non-authoritative answer but then also says 'NXDOMAIN'!  I'm stumped as to why it would say 'non-existent domain' when it has just successfully resolved the name from an internal DNS record.

I see the same response pattern from other systems, so it's not a docker issue.

The Sophos Firewall is the sole DNS server on the LAN and its domain is the same one as the smtp server being looked up here.  Any internal host with a DNS record set up in the Firewall will get the same result - a correct response, followed by 'NXDOMAIN'.

netadmin@adminserver:~$ nslookup smtp.b****e.net
Server: 192.168.11.1
Address: 192.168.11.1#53

Non-authoritative answer:
Name: smtp.b****e.net
Address: 192.168.11.1
** server can't find smtp.b****e.net: NXDOMAIN

Even on the XG console, I get same strange combo of answers:

console> dnslookup host smtp.b****e.net                                         
Domain Name Server#  127.0.0.1                                                  
Domain Name       #  smtp.b****e.net                                            
Resolved Address 1#  192.168.11.1                                               
Total query time  #  0.11 msec                                                  
can't resolve 'smtp.b****e.net'

The DNS record looks like this:

smtp.b****e.net 192.168.11.1 TTL 60 weight 1 publish to WAN No reverse DNS No

Some of the others have reverse DNS lookup on; makes no difference.

The only internal host I can query without getting 'NXDOMAIN', is the firewall's primary name:

netadmin@adminserver:~$ nslookup gateway
Server: 192.168.11.1
Address: 192.168.11.1#53

Non-authoritative answer:
Name: gateway.b****e.net
Address: 192.168.8.1
Name: gateway.b****e.net
Address: 192.168.11.1

If I look up something that forces it to go to an upstream DNS server, it's fine:

netadmin@adminserver:~$ nslookup ns1.google.com
Server: 192.168.11.1
Address: 192.168.11.1#53

Non-authoritative answer:
Name: ns1.google.com
Address: 216.239.32.10
Name: ns1.google.com
Address: 2001:4860:4802:32::a

Why the NXDOMAIN?  Can I stop that happening?

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Good day and thanks for reaching out to Sophos Community, hope you are well. 

    Is your DNS settings on Sophos Firewall comes from ISP? If yes, Could you try changing to a public DNS and see if this would still occur? 

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi Raphael,

    That makes no difference - as I would expect.
    SF should return the result from its local DNS record list, which the documentation says is checked before any upstream servers, then stop, job done. Instead, it's returning that local record, but then also trying something else that causes the NXDOMAIN.

    I tried an experiment: I created a local DNS record for one of my hosts that also has a public DNS entry.  SF console dnslookup for that host returned the local record (LAN IP of the host), without any 'not found' issue.  From this experiment, it appears that SF queries the local list first (correct) but instead of stopping there when it finds a match, it goes on to query the upstream DNS servers (incorrect behavoiur), resulting in the 'NXDOMAIN' response.

  • 0 in reply to JeffThompson

    Did some more testing.  If I create a public DNS record for the smtp server, with the private LAN IP (192.168.11.1) then there is no 'NXDOMAIN' when I query the FQDN smtp.xxxx.net.  So, I conclude that Sophos FW is querying the upstream public DNS when it does not need to and is returning 'NXDOMAIN' when there is no upstream record, in addition to returning the correct local DNS record.

    This - giving both a result and a failure to the client - seems to be an undesirable behaviour - i.e., a bug.   , where should I raise this as a bug report?

Reply
  • 0 in reply to JeffThompson

    Did some more testing.  If I create a public DNS record for the smtp server, with the private LAN IP (192.168.11.1) then there is no 'NXDOMAIN' when I query the FQDN smtp.xxxx.net.  So, I conclude that Sophos FW is querying the upstream public DNS when it does not need to and is returning 'NXDOMAIN' when there is no upstream record, in addition to returning the correct local DNS record.

    This - giving both a result and a failure to the client - seems to be an undesirable behaviour - i.e., a bug.   , where should I raise this as a bug report?

Children
Unfiltered HTML