This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.201-23 DNS Issues

Hey Guys:

I have run into a new issue with 9.2. I'm not sure if it is a bug or what, but at least once every week DNS Resolution on the Gateway stops working and I have to go in and manually flush the cache for DNS resolution to start working again. I turned off DNSSEC Validation and will test with it off to see if that fixes the issue. Any advice would be greatly appreciated.

My DNS Setup is:
Clients -> Server -> Sophos -> OpenDNS

Thanks,
Kyle

This thread was automatically locked due to age.

0 BAlfson over 11 years ago

Also i've seen waaay too many failures from UTM dns in regard to the http proxy. This causes mis categorizations of sites.

I've not seen this, William. Do you have an example that I can reproduce?

If you really want to use a public dns I would highly suggest using hte dns routing feature to have the utm route internal dns to the internal dns server not itself..that way all external traffic will go outside and the internal traffic will get properly resolved by the internal dns server.

Yes, this is item 4 in that post, using Request Routing to have internal FQDNs resolved.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago in reply to BAlfson

I've not seen this, William. Do you have an example that I can reproduce?

Yes, this is item 4 in that post, using Request Routing to have internal FQDNs resolved.

Cheers - Bob

check your pms. I'm not going to castigate Sophos in public on this issue.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 Billybob over 11 years ago in reply to William Warren

UTM's dns server is not a full dns implementation ....

Why do you think that?

Just out of curiosity I restarted named and I get
2014:05:05-18:34:55 gatekeeper named[32613]: starting BIND 9.9.4-rpz2

Seems as full as it gets ....
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago

It simply doesn't act like one IMO..however i just took a look at the output of my 9.2 installs and it appears to be bind....but there's still issues with their implementation.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 Billybob over 11 years ago in reply to William Warren

Understand... I thought you had some inside information[:D]
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago

nopers..just talking from my experience..that's all..i'll usually hint if it might be insider based..otherwise i am speaking from experience..[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 11 years ago

I'll just say this and leave it where it lays; never in 10 years of reselling Astaro ASG / Sophos UTM have I had a problem configuring it as Bob describes (and apparently as I described it to him, that must've been ages ago [:)] ) to do it. I'm not an advocate of using the UTM's DNS Proxy as your sole DNS (except for remote networks as a backup DNS resolver if a VPN to internal networks goes down, etc.) -- if you are on a Microsoft AD network, then, certainly, you have your clients and internal servers point at your DC(s) for DNS... but I have those servers point at the UTM for external (Internet) DNS name resolution, and I point the UTM at either the ISP's DNS (depends on how well the ISP maintains their DNS services) or OpenDNS, etc. Again, never had an issue.

To each his own, not saying my way is necessarily the "right" way, but it does simplify troubleshooting some issues, and further isolates the internal network from the big bad Internet, and has certainly served me well over the past 10 years or so. In this case, I think the issue the OP was having was because they had DNSSEC enabled, and were using OpenDNS ... that won't work.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 kyle5281 over 11 years ago in reply to BrucekConvergent

I'll just say this and leave it where it lays; never in 10 years of reselling Astaro ASG / Sophos UTM have I had a problem configuring it as Bob describes (and apparently as I described it to him, that must've been ages ago [:)] ) to do it. I'm not an advocate of using the UTM's DNS Proxy as your sole DNS (except for remote networks as a backup DNS resolver if a VPN to internal networks goes down, etc.) -- if you are on a Microsoft AD network, then, certainly, you have your clients and internal servers point at your DC(s) for DNS... but I have those servers point at the UTM for external (Internet) DNS name resolution, and I point the UTM at either the ISP's DNS (depends on how well the ISP maintains their DNS services) or OpenDNS, etc. Again, never had an issue.

To each his own, not saying my way is necessarily the "right" way, but it does simplify troubleshooting some issues, and further isolates the internal network from the big bad Internet, and has certainly served me well over the past 10 years or so. In this case, I think the issue the OP was having was because they had DNSSEC enabled, and were using OpenDNS ... that won't work.

Yes. I forgot that OpenDNS did not support DNSSEC when I changed over from Google. I'm not sure why it stopped working all of the sudden though. It has been quite a few months since I switched.
Cancel
Vote Up 0 Vote Down

Cancel
0 geoigeek over 11 years ago

Now i'm on 9.201-23 i habe also DNS Problems. I use Googles DNS Servers and now the UTM resolves no Hostname. google.de or any other.
Internal Static DNS Entrys are also broken.
A Ping direct from the UTM (Login over SSH) on google.com also failed.

Can annyone help?

There are Errors in the Selfmon Protocol:

2014:05:11-00:36:22 utm selfmonng[3772]: W actionCmd(-): '/var/mdw/scripts/cssd restart'
2014:05:11-00:36:23 utm selfmonng[3699]: I check Failed increment named_running counter 1 - 3
2014:05:11-00:36:23 utm selfmonng[3699]: W check Failed increment cssd_running counter 3 - 3
2014:05:11-00:36:23 utm selfmonng[3699]: W triggerAction: 'cmd'
2014:05:11-00:36:23 utm selfmonng[3699]: W actionCmd(-): '/var/mdw/scripts/cssd restart'
2014:05:11-00:36:27 utm selfmonng[3772]: W check Failed increment named_running counter 3 - 3
2014:05:11-00:36:27 utm selfmonng[3772]: W NOTIFYEVENT Name=named_running Level=INFO Id=119 suppressed
2014:05:11-00:36:27 utm selfmonng[3772]: W triggerAction: 'cmd'
2014:05:11-00:36:27 utm selfmonng[3772]: W actionCmd(+): '/var/mdw/scripts/named restart'
2014:05:11-00:36:28 utm selfmonng[3699]: I check Failed increment cssd_running counter 1 - 3
2014:05:11-00:36:29 utm selfmonng[3772]: W child returned status: exit='1' signal='0'
2014:05:11-00:36:29 utm selfmonng[3772]: I check Failed increment cssd_running counter 1 - 3
2014:05:11-00:36:33 utm selfmonng[3699]: I check Failed increment named_running counter 2 - 3
2014:05:11-00:36:33 utm selfmonng[3699]: I check Failed increment cssd_running counter 2 - 3
2014:05:11-00:36:34 utm selfmonng[3772]: I check Failed increment named_running counter 1 - 3
2014:05:11-00:36:34 utm selfmonng[3772]: I check Failed increment cssd_running counter 2 - 3
2014:05:11-00:36:35 utm selfmonng[3772]: I check Failed increment smtp_running counter 1 - 15
2014:05:11-00:36:38 utm selfmonng[3699]: W check Failed increment named_running counter 3 - 3
2014:05:11-00:36:38 utm selfmonng[3699]: W NOTIFYEVENT Name=named_running Level=INFO Id=119 suppressed
2014:05:11-00:36:38 utm selfmonng[3699]: W triggerAction: 'cmd'
2014:05:11-00:36:38 utm selfmonng[3699]: W actionCmd(+): '/var/mdw/scripts/named restart'
2014:05:11-00:36:39 utm selfmonng[3772]: W check Failed increment cssd_running counter 3 - 3
2014:05:11-00:36:39 utm selfmonng[3772]: W triggerAction: 'cmd'
Cancel
Vote Up 0 Vote Down

Cancel
0 martin_sh over 11 years ago

I am using windows server 2012. I have been over "DNS best practices" by Bob, but I am not sure I understand point 5 and 6.
Point 5, "Configure Windows Server (or other) DHCP server for internal devices to point at your internal name server for DNS, then the Astaro, then the OpenDNS servers". Can I use Astaro as DHCP server and Windows Server as DNS server? I have an additional subnet with computers not joined to the domain.
Point 6, "The internal DNS server's first forwarder is to the Astaro DNS Proxy, then to the OpenDNS servers". Ok, so I went to "DNS manager" of Windows server 2012. Are we talking here for "forward lookup zones" or for "conditional forwarders". Then, do we have to join astaro to the active directory? Or, perhaps we are talking about adding "dns server ip addresses" in network adapter properties? I went with the last one (but I am not sure).
Thank you,
Martin
Cancel
Vote Up 0 Vote Down

Cancel