Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 30 subscribers
  • Views 38313 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Behaviour

SimonSlaytor

Hey Folks,

As a long time UTM Home user I decided to take the plunge and go XG. Yes its frustrating at times but after persisting for a few days I now have almost everything working the way it should. 

I say almost as I have an annoying problem with the DNS, my problem is this. I like many I'm sure run my own SMTP/IMAP mail server behind the XG serving mail for my registered domain name. 

On the external registrars DNS server I have setup the required A record to point my MX records and host name to my external IP address and after setting up the required business rules to forward SMTP/S and IMAPS to my internal server external access works well.

Now when I'm back home and behind the XG I use the same phone/laptop etc to access my mail so need to have the XG resolve the DNS name to the internal IP address for these private clients.

I have added a static DNS entry on the XG mapping the correct entry and selected IPv4 first in the DNS query order. From a client machine 50% of the time the DNS resolves correctly to the internal address however the other 50% of the time the DNS is resolved to the external IP address of the XG i.e. as if the XG is not resolving the request locally but instead forwarding the request to the external DNS server.

For static 'desktop' clients I can tweak local hosts files to override the issue but this isn't an option on my smart phone and impractical on my laptop.

Any pointers on what I need to do in order for XG to consistently resolve the DNS?

Cheers



This thread was automatically locked due to age.
  • 0

    I am assuming that you are using the XG for your DNS/DHCP server for your internal network. If this is the case what DNS servers are you assigning to your DHCP clients. This should be the local interface of the firewall for that network segment and not your external DNS servers.

    Have you considered to moving DHCP/DNS to an internal system for local network resolution and have forwarders set to your XG on said system point to your external DNS servers. Below is how I have my DNS setup:

    client DNS request -> internal DNS server -> Sophos XG/UTM DNS -> OpenDNS.

    I use openDNS with a free account that allows me to blacklist certain categories from a DNS sense and allows me to utilize OpenDNS's threat intel to avoid phishing and known bad sites. Also I have DNS restricted to only these systems so all my internal machines are forced to use my DNS servers or have a real hard time resolving.  :)

    Hope this helps

    -Ron

  • 0 in reply to rrosson

    Hi Ron,

    Thanks for the reply, apologies I should have provided more details. All clients are set to resolve DNS via the XG's internal interface.

    The XG itself is configured to use OpenDNS's IPv4 servers and IPv6 servers.

    DNS Query Configuration is configured for IPv4 first then IPv6.

    Clients are configured using DHCP for IP4 / RA for IP6

    Local servers are configured using static 4/6 addresses.

    DNS Host entries are created on the XG firewall for each static host ip4 only.

    I could use a separate internal DNS server, but isn't that defeating the object? All this works perfectly on the UTM9.3/4 software. I'm amazed just how poor the XG system really is. It would seem Sophos have spent all their efforts updating the interface and adding RED support.

    Another example I fell across today was IPSec, I had to drop to the CLI to issue a system IPSEC_ROUTE command before traffic would start flowing over the tunnel an issue that dates back to the Cyberoam days as I found the work around on the old site. The remote end, a UTM9.3 box just worked!

    Come on Sophos you charge enough for this stuff, I know I'm just getting quotes for a couple of XG310's, do you not test this stuff! There's no way I'd put this into a production environment as it is. 

  • 0

    Simon,

    your thread is really interesting. Is the DNS enabled on WAN zone under System > Administration > Device access?

  • 0 in reply to lferrara

    Hi Luk,

    See screen grabs below, note I've moved over to HE.net's / Googles IPv6 DNS servers.

     

    Below results from my local workstations 'pinging' an internal server this morning, there was a 15 minute gap between pings.

    C:\Users\xxxx>ping xen-backup.xxx.com

    Pinging xen-backup.xxx.com [172.16.10.38] with 32 bytes of data:
    Reply from 172.16.10.38: bytes=32 time=1ms TTL=64
    Reply from 172.16.10.38: bytes=32 time=1ms TTL=64
    Reply from 172.16.10.38: bytes=32 time=1ms TTL=64

    Ping statistics for 172.16.10.38:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
    Control-C
    ^C
    C:\Users\xxx>ping xen-backup.xxx.com
    Ping request could not find host xen-backup.xxx.com. Please check the name and try again.

    C:\Users\xxx>

  • 0 in reply to SimonSlaytor

    Simon,

    pinging the same xen-backup from XG command line, works all the time?

    Thanks.

  • 0 in reply to lferrara

    I cannot say if it works 'All' the time as I'm not constantly testing it. However I have just run the following command from the Advanced shell on the XG:

    I then immediately ran the ping again from my workstation: 

    C:\Users\xxx>ping xen-backup.xxx.com
    Ping request could not find host xen-backup.xxx.com. Please check the name and try again.

    C:\Users\xxx>

    172.16.10.1 is the internal address of the XG as is 2001::xxx:1

  • 0 in reply to SimonSlaytor

    Can you configure only IPv4 on your desktop?

    A tcpdump will help us to understand what is wrong.

  • 0

    I think I have a similar issue. I have an internal DNS server that I have registered local servers/VMs. I cannot get XG to query the internal DNS server for anything. Everything I tried to set would not work. I think it only allows DNS queries to go to the WAN interface port. So, I ended up having to register all of my services in both my internal DNS and in XG to get everything to work. However, I could be completely wrong because I am having a lot of problems with XG. :-)

  • 0

    Hi

     

    I got the same issue like yours for my internal email server.

    Can I please know what was your fix for this?

     

    Mathew