External DNS Query IssueDNS

Javier,

go to Administration > Device Access and enable DNZ on WAN Zone. Use ACL (inside the same meny) ti deny certain remote hosts/networks.

Thanks

Hi,

I enabled DNS in Device Access, and I has NATTED ports 53 in TCP/UDP, nut when i try to make external nslookup i get: DNS Request Time Out.

This has to be a public DNS (ns2.ardanet-systems.com) when i make the nslookup in ns1.ardanet-systems.com (another public IP) i get the correct result, the query works fine, but no in the sophos xg (ns2.ardanet-systems.com)

for example:

nslookup ark-servers.online ns1.ardanet-systems.com  (That is NATTED with a simple IPTABLES... works like a charm)

nslookup ark-servers.online ns2.ardanet-systems.com (That is NATTED with Sophos XG... DNS Request Time Out)

Any idea?

Thx for all

Hi,

I enabled DNS in Device Access, and I has NATTED ports 53 in TCP/UDP, nut when i try to make external nslookup i get: DNS Request Time Out.

This has to be a public DNS (ns2.ardanet-systems.com) when i make the nslookup in ns1.ardanet-systems.com (another public IP) i get the correct result, the query works fine, but no in the sophos xg (ns2.ardanet-systems.com)

for example:

nslookup ark-servers.online ns1.ardanet-systems.com  (That is NATTED with a simple IPTABLES... works like a charm)

nslookup ark-servers.online ns2.ardanet-systems.com (That is NATTED with Sophos XG... DNS Request Time Out)

Any idea?

Thx for all

Javier,

can you share your Firewall Rule where you are allowing DNS service from WAN to LAN/DMZ?

Do you see dropped packet from console using this command?

drop-packet-capture "host 'dnserver' and port 53" without quota.

Console is reachable from CLI/putty, option 4.

Thanks

OK... There are the two rules:

This is for the UDP trafic

The drop-packets-capture don't show any result... black screens always... and the requests are send... is like the packet go to wan but firewall dont run the nat rules...

Thx for advance

no one can help me?

I am just giving you some ideas because your DNAT rules look good. Are you sure you can reach the internal bind server with XG? Also, is your bind server in the zone that you are protecting with your DNAT rule? They have taken "dig" out of cli and the "nslookup" doesn't query the server specified so the only way to test DNS is to use it as your forwarder in Network > DNS and do "test name lookup" to make sure XG can actually query your bind server. 

I would also check your bind configuration and make sure your allow-clients and other acls are not denying dns requests.

If all fails, maybe a call to support is in order[:(]

Javier,

I have sent a PM to you. I would like to check your configuration.

Thanks

hi billybob,

Sure, is a very simple configuration... other ports (like 80, 443, 25, etc...) works fine, and can reach the destibation server... i has only 2 interfaces (for now) wan and lan, and the only problem is with DNS... before with pfSense, or with a simple IPTBLES... all the sistem working fine, but we are mounting a datacenter for webhosting and we would a most reliable sollution... but we are trying for now what's the better solution for us... i tested with dig and nslookup outside ns1 works fine (iptables) and ns2 cant respond to DNS queries (Sophos XG) ... is like a one server with 2 interfaces one in iptables and the other with sophos xg... with dig or nslookup can query a especified server for the results.

Is like the DNS packets drops at the WAN interface

Thx for advance

well another try...

When NAT rules are reflexive... internally can make a nslookup and resolves correctly... the NAT rules are working fine...  seems to be a problem with the WAN that can't let pass the DNS packets :( and i don't know why :(