Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 30 subscribers
  • Views 38315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Behaviour

SimonSlaytor

Hey Folks,

As a long time UTM Home user I decided to take the plunge and go XG. Yes its frustrating at times but after persisting for a few days I now have almost everything working the way it should. 

I say almost as I have an annoying problem with the DNS, my problem is this. I like many I'm sure run my own SMTP/IMAP mail server behind the XG serving mail for my registered domain name. 

On the external registrars DNS server I have setup the required A record to point my MX records and host name to my external IP address and after setting up the required business rules to forward SMTP/S and IMAPS to my internal server external access works well.

Now when I'm back home and behind the XG I use the same phone/laptop etc to access my mail so need to have the XG resolve the DNS name to the internal IP address for these private clients.

I have added a static DNS entry on the XG mapping the correct entry and selected IPv4 first in the DNS query order. From a client machine 50% of the time the DNS resolves correctly to the internal address however the other 50% of the time the DNS is resolved to the external IP address of the XG i.e. as if the XG is not resolving the request locally but instead forwarding the request to the external DNS server.

For static 'desktop' clients I can tweak local hosts files to override the issue but this isn't an option on my smart phone and impractical on my laptop.

Any pointers on what I need to do in order for XG to consistently resolve the DNS?

Cheers



This thread was automatically locked due to age.
Parents
  • 0

    I am assuming that you are using the XG for your DNS/DHCP server for your internal network. If this is the case what DNS servers are you assigning to your DHCP clients. This should be the local interface of the firewall for that network segment and not your external DNS servers.

    Have you considered to moving DHCP/DNS to an internal system for local network resolution and have forwarders set to your XG on said system point to your external DNS servers. Below is how I have my DNS setup:

    client DNS request -> internal DNS server -> Sophos XG/UTM DNS -> OpenDNS.

    I use openDNS with a free account that allows me to blacklist certain categories from a DNS sense and allows me to utilize OpenDNS's threat intel to avoid phishing and known bad sites. Also I have DNS restricted to only these systems so all my internal machines are forced to use my DNS servers or have a real hard time resolving.  :)

    Hope this helps

    -Ron

Reply
  • 0

    I am assuming that you are using the XG for your DNS/DHCP server for your internal network. If this is the case what DNS servers are you assigning to your DHCP clients. This should be the local interface of the firewall for that network segment and not your external DNS servers.

    Have you considered to moving DHCP/DNS to an internal system for local network resolution and have forwarders set to your XG on said system point to your external DNS servers. Below is how I have my DNS setup:

    client DNS request -> internal DNS server -> Sophos XG/UTM DNS -> OpenDNS.

    I use openDNS with a free account that allows me to blacklist certain categories from a DNS sense and allows me to utilize OpenDNS's threat intel to avoid phishing and known bad sites. Also I have DNS restricted to only these systems so all my internal machines are forced to use my DNS servers or have a real hard time resolving.  :)

    Hope this helps

    -Ron

Children
  • 0 in reply to rrosson

    Hi Ron,

    Thanks for the reply, apologies I should have provided more details. All clients are set to resolve DNS via the XG's internal interface.

    The XG itself is configured to use OpenDNS's IPv4 servers and IPv6 servers.

    DNS Query Configuration is configured for IPv4 first then IPv6.

    Clients are configured using DHCP for IP4 / RA for IP6

    Local servers are configured using static 4/6 addresses.

    DNS Host entries are created on the XG firewall for each static host ip4 only.

    I could use a separate internal DNS server, but isn't that defeating the object? All this works perfectly on the UTM9.3/4 software. I'm amazed just how poor the XG system really is. It would seem Sophos have spent all their efforts updating the interface and adding RED support.

    Another example I fell across today was IPSec, I had to drop to the CLI to issue a system IPSEC_ROUTE command before traffic would start flowing over the tunnel an issue that dates back to the Cyberoam days as I found the work around on the old site. The remote end, a UTM9.3 box just worked!

    Come on Sophos you charge enough for this stuff, I know I'm just getting quotes for a couple of XG310's, do you not test this stuff! There's no way I'd put this into a production environment as it is.