Mac & Sophos Central: Constant DNS Query Timeouts, going to wrong DNS Server

Does anyone else use Sophos Central (Endpoint Control + Web Control) with MacOS devices that are laptops? Our laptops go home with users everyday and when they come back, a portion of the devices continue to query "http.00.a.sophosxl.net" but receive a Timeout, thousands of times. When we investigate on our Firewall logs, we see each device is still trying to query either their local DNS at home (not routable) or their ISP's DNS server which is also not routable. 

  • Machine are set as DHCP, when on our network they get our DNS server, yet they still try and query the wrong DNS server.
  • There is no botnet, infection, malicious plugins, etc. These machines are clean as a whistle.
  • DNS Server Timeout examples:
    • 75.75.76.75
    • 75.75.76.76
    • 10.0.0.1
    • 192.168.1.1
    • 209.18.47.62 (dns-cac-lb-02.rr.com)

It seems like the Sophos client Caches the DNS server provided at a User's house. When they return to the network, they continue making failed queries to these servers. They are doing direct requests to DNS servers and timing out constantly.

Thanks.

  • This was a waste of time.

  • In reply to I T1:

    I have decided to move off of Sophos due to this issue. They do one thing well, pushing customers away.

  • Hi  

    Apologies for the incovoinence caused. Could you please let us know if you have raised any case with us for this issue? If so, kindly PM me the details of the case registered so that I can look into it for you.

  • In reply to I T1:

    I believe I am having the same issue, how were you able to diagnose the timeout? is there a particular command to run in terminal or just capture some packets. 

  • In reply to Oxal Ortiz:

    I would see the timeouts littering my firewall logs, thousands of them. I could also run TCP dump on the laptop to see that they were indeed trying to query the wrong server. Doesn't matter, Sophos didn't give a !@#$ about the issue and abandoned the ticket as "Everything is working as designed". This product is trash, sorry guys.

     

    #sudo tcpdump -c 10000 -i en0 -s 0 -w /tmp/DumpFile.dmp

  • In reply to Oxal Ortiz:

    Hi  

    We need to diagnose this further with certain logs. I would recommend you to kindly open a support case for an in-depth investigation to check on this issue. 

  • In reply to Shweta:

    Hi,

    Your support team did absolutely nothing to resolve this issue and it is still happening. Why do you recommend contact support for this? They don't take the issue seriously and it's a waste of time. Just move on to another product.

  • In reply to I T1:

    Hi  

    I am extremely sorry for the inconvenience. I would request you to please PM me the case number you have registered and will check with the concerned team. 

  • In reply to I T1:

    I have seen this on my network and would like to know what steps you have tried?

    If you restart the computer does this still happen?

    Flush DNS cache?

    Are you certain the IP entries are held only by SOPHOS or is SOPHOS getting them from somewhere else?

     

    Just trying to save myself some time so if you could share I would appreciate it.