This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS queries for any .tk domain are blocked by IPS.

I need to allow DNS lookups for a particular .tk domain.

I read this old thread but "Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection" doesn't work. The DNS lookup traffic is still blocked.

I'm in the same situation as the OP of that thread. I have a Windows DNS server for the LAN which then does forward lookups on the UTM. Unfortunately, the only thing that I can get to work is to create an IPS exception that skips IPS on all DNS lookups but that seems way overkill:

EXCEPTION:

...

Skip IPS

Coming from internal Windows DNS server

Using DNS

Going to UTM

...

That thread is six years old so I'm assuming something has changed in the way ATP exceptions are handled or maybe that functionality is broken now.

Has anyone come up with a better way to allow DNS lookups of a particular .tk domain?



This thread was automatically locked due to age.
Parents
  • Hello Jeff,

    if this is only one domainname, why not just add this domain to your internal DNS server?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the suggestion but the IP address of that domain changes.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • If it's just a single domain, create a DNS host.

    It will then resolve that object periodically, catching any changes.

  • Thanks but this won't work because the DNS lookup, from the internal DNS server, is still blocked by the Sophos IPS because the lookup is for the .tk TLD.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • What is the domain in question?

  • This should work:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks again Philipp but that does not work either. This is a tricky situation because Sophos IPS blocks the forward DNS lookup coming from the Windows DNS server, on the internal LAN, before your exception example would have any impact. Maybe I'm not explaining the situation clearly. This old thread may be easier to understand.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • This is a real domain: www[.]dot[.]tk

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

Reply
  • This is a real domain: www[.]dot[.]tk

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

Children
  • I tried opening www.dot.tk, resolved and opened just fine here.

  • I tried visiting www[.]dot[.]tk. It resolved and opened without any issues here.

    I'm using utm as the dns server which resolves local requests and forwards unknowns to 1.1.1.1.

  • I'm using utm as the dns server

    Thanks Jay. Your setup is different than mine. The DNS queries from my Windows DNS server are being blocked by Sophos  IPS. DNS queries for .tk TLD are supposed to be blocked by Sophos IPS, by design. I'm just trying to come up with a way to "whitelist" a particular .tk domain rather than disabling all IPS for all DNS queries coming from my internal DNS server which is the only thing that works, so far. There still doesn't appear to be a way to do what I want. In that old thread, Bob had suggested adding an Advanced Threat exception but that seems to have had zero impact on my system.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • Yes, but your Windows DNS has to query from somewhere - and that would be through the UTM, so an exception for the .tk should work that jp put above.  You could also modify that IPS exception with that second part in his screenshot, the pulldown menu that shows "going to these destinations" and modify that "coming from these networks", then including your LAN and/or External connections.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Forgive me if I'm just not understanding the suggestions each of you has made. I'm sorry but I don't know how to better explain this. The traffic (DNS query) TO the UTM is being blocked before we even need to be concerned about the suggested exceptions that allow traffic THROUGH the UTM.

    The exception I listed (text) in my OP works. Here is a screen cap of it:

    The problem with the exception above is that it exempts ALL DNS queries (coming from my internal DNS server) from IPS protection.

    Neither of the two exceptions below work because traffic is blocked by IPS BEFORE either one would "kick in":

    ------------------------------------------------------------------------------------------------

    As you can see, I do have a DNS host definition for www[.]dot[.]tk.

    As a reminder, if any of you are actually testing these exceptions on your own network, don't forget to clear the IP address from the DNS host definition, clear the DNS query cache on the local/internal DNS server, PC and Sophos UTM else you may think an exception works when it really doesn't.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • I'm still looking at the screenshots (that first one is bugging me that it doesn't make sense, but I have to think about that), but can you post the error in your log so I can read the IPS log for it being blocked please?

    I have recently switched to XG and it's not blocked at least on that, lol.  I've never tried to go to a .tk domain on UTM.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • IPS log entries:

    2023:04:13-19:19:44 gateway snort[22267]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" srcport="49684" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"
    2023:04:13-19:19:50 gateway snort[22267]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" srcport="64932" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • sid="39867"

    Have you tried to just disable that Snort rule?

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Yes. It works but I was wanting to whitelist only one particular .tk domain which still doesn't seem possible.

    Disabling that Snort rule allows all .tk DNS queries to pass through which is better than exempting all DNS queries from IPS protection with an IPS exception.

    I guess this is as close as I'm going to get to being able to whitelist a single domain lookup.

    Off topic: How bumpy was that transition to XG? I guess we'll all have to make that move sooner or later or go to one of the *Sense's or Untangle.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • One would think selecting the option to disable IPS for a given domain (to/from/both), would disable all rules for that domain.... Who would of thunk!

    I'm in the planning stages of prepping to move to pfsense.  Exciting times ahead.