This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS query timeout

Hi all,

since we installed the Sophos UTM 100 a couple of months ago, sometimes we have problems accessing websites. As we use Active Directory in our local net DNS queries should go this way:
Client (DNS Server: SBS2011) -> Small Business Server 2011 (forwarder to the UTM) -> Sophos UTM (forwarder to two DNS servers of our ISP) -> DNS server of our ISP
I added the internal network to the allowed networks of the DNS service and two DNS servers of our ISP to the DNS forwarders.

The problem in detail:
Most of the time we don't have any problems accessing the internet. But at different times a number/all of us cannot access the internet. So there seems to be neither a general problem (for example a missing entry in the firewall) nor a special "event" (for example a disconnect every 24h by our ISP) which could be responsible for this.
After this error occurs, you have to wait one or two minutes and then everything works fine again.
The typical entry in the webfilter log looks like this:

2014:09:03-09:28:24 SophosUTM httpproxy[18246]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="187" message="dns query c7ef (Google) timed out, retransmitting (retry 1)"
2014:09:03-09:28:24 SophosUTM httpproxy[18246]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x15aa0368" function="sc_categorize_url_remote" file="scr_scanner.c" line="993" message="no categorization received for url: https://www.google.de/"
2014:09:03-09:28:25 SophosUTM httpproxy[18246]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.10.103" dstip="" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllow (L&L Standard)" size="2465" request="0x16e306e8" url="www.google.de/" exceptions="" error="Host not found" authtime="0" dnstime="10001064" cattime="10896533" avscantime="0" fullreqtime="20937909" device="0" auth="0" category="9999" reputation="neutral" categoryname="Categorization failed"

There are no entries in the log of the firewall or of the intrusion prevention system for this specific time.

Before the UTM was installed, we didn't have problems like this. So the DNS server of our provider seem to work fine (or at least they did [;)]).

If there's already a solution somewhere in this forum, please post the link as I didn't find it. Otherwise do you have any ideas how to fix this problem?

Best regards
Thilo

This thread was automatically locked due to age.

Parents

0 GuardianFan over 10 years ago

Maybe my first example was a little bit misleading. This happens not only, if I visit HTTPS websites, but if I visit HTTP sites, too:
2014:09:03-09:29:50 SophosUTM httpproxy[18246]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.10.103" dstip="" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllow (L&L Standard)" size="2456" request="0x8900308" url="www.sport1.de/" exceptions="" error="Host not found" authtime="0" dnstime="10001227" cattime="10941970" avscantime="0" fullreqtime="20947178" device="0" auth="0" category="9999" reputation="neutral" categoryname="Categorization failed" application="http"

So is it normal, that a web request is blocked, if none of the DNS servers responds in a specific time? Or is there any other reason why it is blocked and why the UTM can't find a DNS server?

I'll try the above-mentioned command the next time the problem appears and keep you up to date.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 GuardianFan over 10 years ago

Maybe my first example was a little bit misleading. This happens not only, if I visit HTTPS websites, but if I visit HTTP sites, too:
2014:09:03-09:29:50 SophosUTM httpproxy[18246]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.10.103" dstip="" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllow (L&L Standard)" size="2456" request="0x8900308" url="www.sport1.de/" exceptions="" error="Host not found" authtime="0" dnstime="10001227" cattime="10941970" avscantime="0" fullreqtime="20947178" device="0" auth="0" category="9999" reputation="neutral" categoryname="Categorization failed" application="http"

So is it normal, that a web request is blocked, if none of the DNS servers responds in a specific time? Or is there any other reason why it is blocked and why the UTM can't find a DNS server?

I'll try the above-mentioned command the next time the problem appears and keep you up to date.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Sascha Paris over 10 years ago in reply to GuardianFan

dnstime="10001227" ?

That´s definately not good.

How is your DNS setup ?

Client => internal DC/DNS => UTM DNS Proxy => Public DNS ?

I´ve seen shortly a customer setup, where the customer also configured public DNS servers on his internal DNS forwarder which failed. This customer got always a few secs delay from DNS lookups, because the internal resolver had to fallback to root dns lookups, wich slowed down internetsurfing to opening a website within >1min.

After fixing the DNS Scenario Websurfing became lightning fast.

so make sure, that internal clients request internal DNS server, internal DNS server requests EXCLUSIVELY the UTM DNS forwarder (make sure internal DNS is in allowed networks), and UTM requests a availability group as described earlier in this thread with 4-6 FAST DNS servers in there...I use Local ISP DNS and Google and OpenDNS Servers in the availability group.
Cancel
Vote Up 0 Vote Down

Cancel