This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS queries for any .tk domain are blocked by IPS.

I need to allow DNS lookups for a particular .tk domain.

I read this old thread but "Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection" doesn't work. The DNS lookup traffic is still blocked.

I'm in the same situation as the OP of that thread. I have a Windows DNS server for the LAN which then does forward lookups on the UTM. Unfortunately, the only thing that I can get to work is to create an IPS exception that skips IPS on all DNS lookups but that seems way overkill:

EXCEPTION:

...

Skip IPS

Coming from internal Windows DNS server

Using DNS

Going to UTM

...

That thread is six years old so I'm assuming something has changed in the way ATP exceptions are handled or maybe that functionality is broken now.

Has anyone come up with a better way to allow DNS lookups of a particular .tk domain?



This thread was automatically locked due to age.
Parents
  • Hello Jeff,

    if this is only one domainname, why not just add this domain to your internal DNS server?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the suggestion but the IP address of that domain changes.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • I'm using utm as the dns server

    Thanks Jay. Your setup is different than mine. The DNS queries from my Windows DNS server are being blocked by Sophos  IPS. DNS queries for .tk TLD are supposed to be blocked by Sophos IPS, by design. I'm just trying to come up with a way to "whitelist" a particular .tk domain rather than disabling all IPS for all DNS queries coming from my internal DNS server which is the only thing that works, so far. There still doesn't appear to be a way to do what I want. In that old thread, Bob had suggested adding an Advanced Threat exception but that seems to have had zero impact on my system.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • Yes, but your Windows DNS has to query from somewhere - and that would be through the UTM, so an exception for the .tk should work that jp put above.  You could also modify that IPS exception with that second part in his screenshot, the pulldown menu that shows "going to these destinations" and modify that "coming from these networks", then including your LAN and/or External connections.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Forgive me if I'm just not understanding the suggestions each of you has made. I'm sorry but I don't know how to better explain this. The traffic (DNS query) TO the UTM is being blocked before we even need to be concerned about the suggested exceptions that allow traffic THROUGH the UTM.

    The exception I listed (text) in my OP works. Here is a screen cap of it:

    The problem with the exception above is that it exempts ALL DNS queries (coming from my internal DNS server) from IPS protection.

    Neither of the two exceptions below work because traffic is blocked by IPS BEFORE either one would "kick in":

    ------------------------------------------------------------------------------------------------

    As you can see, I do have a DNS host definition for www[.]dot[.]tk.

    As a reminder, if any of you are actually testing these exceptions on your own network, don't forget to clear the IP address from the DNS host definition, clear the DNS query cache on the local/internal DNS server, PC and Sophos UTM else you may think an exception works when it really doesn't.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • I'm still looking at the screenshots (that first one is bugging me that it doesn't make sense, but I have to think about that), but can you post the error in your log so I can read the IPS log for it being blocked please?

    I have recently switched to XG and it's not blocked at least on that, lol.  I've never tried to go to a .tk domain on UTM.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • IPS log entries:

    2023:04:13-19:19:44 gateway snort[22267]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" srcport="49684" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"
    2023:04:13-19:19:50 gateway snort[22267]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="192.168.0.2" dstip="192.168.0.1" proto="17" srcport="64932" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • sid="39867"

    Have you tried to just disable that Snort rule?

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Yes. It works but I was wanting to whitelist only one particular .tk domain which still doesn't seem possible.

    Disabling that Snort rule allows all .tk DNS queries to pass through which is better than exempting all DNS queries from IPS protection with an IPS exception.

    I guess this is as close as I'm going to get to being able to whitelist a single domain lookup.

    Off topic: How bumpy was that transition to XG? I guess we'll all have to make that move sooner or later or go to one of the *Sense's or Untangle.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • One would think selecting the option to disable IPS for a given domain (to/from/both), would disable all rules for that domain.... Who would of thunk!

    I'm in the planning stages of prepping to move to pfsense.  Exciting times ahead.

  • Off topic: How bumpy was that transition to XG? I guess we'll all have to make that move sooner or later or go to one of the *Sense's or Untangle.

    It's learning a new system all over again.  Migration is worthless, and frankly, doing the same thing more than once compared to what we could do in UTM is annoying (Creating static IP/Host in the same window comes to mind that you can't do in XG, amongst other things).  There are other things I really don't like about it, but there are some things that are really nice.  It's really just what tastes you have, but at first it was confusing.  It makes no sense, probably because it's new.  The Sophos Assistant tool built in is a life saver, otherwise I would have moved on to an entirely different product.

    TBH, I have stayed with Sophos because I have been here since Astaro 5.0, so that's pre-Y2K, and my APs are very recently purchased APX120s, that I don't want to just have go to waste and were purchased before the EoL announcement.

    EDIT: This was recently published on Sophos site you might find interesting: UTM to SFOS Migration Utility - Discussions Forums - Lifecycle and Migration - Sophos Community

    Yes. It works but I was wanting to whitelist only one particular .tk domain which still doesn't seem possible.

    Disabling that Snort rule allows all .tk DNS queries to pass through which is better than exempting all DNS queries from IPS protection with an IPS exception.

    I guess this is as close as I'm going to get to being able to whitelist a single domain lookup.

    It's a quick fix really.  I think JP's suggestion can work, but you will probably need to tweak your exception to make it work correctly, unless they never changed it in UTM to allow single .tk domains.  I would probably move on to some other provider if I were in that position instead of making a well-known malware domain host accessible, lol.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Be noted:

    At the moment the dns root servers can't resolve the NS for ccTLD tk.

    dig @e.root-servers.net tk. ns

    ; <<>> DiG 9.14.2 <<>> @e.root-servers.net tk. ns
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    and

    dig @k.root-servers.net. tk. ns

    ; <<>> DiG 9.14.2 <<>> @k.root-servers.net. tk. ns
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    Regards
    Peter

Reply
  • Be noted:

    At the moment the dns root servers can't resolve the NS for ccTLD tk.

    dig @e.root-servers.net tk. ns

    ; <<>> DiG 9.14.2 <<>> @e.root-servers.net tk. ns
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    and

    dig @k.root-servers.net. tk. ns

    ; <<>> DiG 9.14.2 <<>> @k.root-servers.net. tk. ns
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    Regards
    Peter

Children