Strange issue: modem stop releasing dns when pc with sophos is connected

Yep, it's a very strange issue, but I did many experiments and this is what I verified.

I have a "Fastweb" Askey RTV1907VW modem.

Since I installed sophos beta in my pc, after a few minutes I connect my pc to the modem with Wifi, my web browsing stops because dns is no more responding.

All other devices connected to the modem can't browse because of dns problem.

If I restart the modem it works correctly: if I connect the pc with sophos beta after few minutes it hangs again.

I tried to uninstall sophos and it work correctly.

If I reinstall sophos and reconnect it hangs.

If I manually set dns to my pc it works also when modem "hangs"

 

Quite strange, isn't it?

 
  • No ideas on what's happening?

  • Hi Francesco, 

    Could you check the DNS settings and share the same with us. 

    Recommended DNS : 8.8.8.8, 4.2.2.2 4.4.2.2 etc . 

    Check the NSlookup on your system and check if the DNS is resolved or not. If not please check your Modem as it has nothing to do with Sophos Home. 

    As per your experience, I believe that there is some issue with your Modem and unable to resolve the request. You may do a series of test and since you have isolated the issue with DNS, change the DNS settings and validate again. 

  • I highly doubt that Sophos would be changing settings on the modem. 

    1. Is the unit just a cable modem or is it also a wifi router?  If there's a separate router maybe the issue is on that end.

    2. Is the firmware on your modem up to date?

    3. If you are renting the modem from your ISP you should be able to get a free replacement to see if issue is hardware related.

    4. In the modem's config page, are there settings for DNS? Is it set for default ISP DNS servers (automatic) or manually / statically entered.  If it's set to automatically use the ISP's DNS, change it to what the previous post mentioned (Google's DNS servers), or I use OpenDNS servers that I type in manually at the router level so that all the machines connected to my router uses it without changing anything on their computer / devices.

    I see from Fastweb italian website that another user has an issue with DNS and your modem

    https://translate.google.com/translate?hl=en&sl=it&u=http://www.fastweb.it/forum/servizi-rete-fissa-tematiche-tecniche/fastgate-askey-rtv1907vw-e-problema-dns-t18038.html&prev=search

     

    Patrick

  • In reply to Pat B.:

    Hi Patrik, 

     

    1. Is the unit just a cable modem or is it also a wifi router?  If there's a separate router maybe the issue is on that end.

    Ans: You may need to confirm the modem DNS settings, if you are using a PPPOE then the DNS address should be mentioned. You could alter the DHCP settings to set the DNS servers for your clients. So when the DHCP request is initiated, your systems would receive the DNS set as per the DHCP settings.  A better explanation would help if there is a network diagram with IP addresses.

    2. Is the firmware on your modem up to date?

    Ans: That is something you may check on the website of the vendor if they have a later firmware.

    3. If you are renting the modem from your ISP you should be able to get a free replacement to see if the issue is hardware related.

    Ans: Agreed, If you find a fault with the device and rented out by your ISP. Please advise them to fix this issue or for a replacement.

    4. In the modem's config page, are there settings for DNS? Is it set for default ISP DNS servers (automatic) or manually / statically entered.  If it's set to automatically use the ISP's DNS, change it to what the previous post mentioned (Google's DNS servers), or I use OpenDNS servers that I type in manually at the router level so that all the machines connected to my router uses it without changing anything on their computer/devices.

    Ans: you may use Google DNS as you would wish and strongly advised. It may occur that the DNS settings provided by your ISP is not functional.

     

  • In reply to Aditya Patel:

    This is happening to me as well.  My son has a high-school issued laptop with Sophos Endpoint Security and Control installed.  When I connect his laptop to our home wifi, everything is fine at first, but once I start triggering the "website blocked" notifications (visiting cnn.com is enough to trigger a bunch of these) we are no longer able to resolve DNS.  Every computer on our home network, wired or wifi, is unable to access websites by name.

    We have a DSL modem, model Zyxel C1100Z.  We did not have this problem last school year and according to my son the content filtering software was something different than it is now.

    I checked the modem's syslog and found this error occurs at the same time:

    daemon.warn kernel: webipqd/1558: potentially unexpected fatal signal 11.

    and same as the OP, I have to reboot the modem to clear the problem.

    ps: this is with dynamic isp-provided dns or with hard-coded 8.8.8.8/8.8.4.4.  and yes, I have the latest firmware. also, i have already replaced the modem, which did not fix the problem.  and i tried with a second laptop from the school, same problem.  at this point it really looks like Sophos is causing it.

  • In reply to Lee Nave:

    Hi Lee, 

    What OS is your son's laptop running?  Windows 10, 7?  The implementation of web protection/console is quiet different depending on platform.

    If you don't have admin rights on the laptop. I would suggest a useful test to rule out Sophos or even troublshoot the traffic would be to install the Sophos solution on your computer or any other computer you can introduce into the network. If that computer starts affecting the router after then you have a computer to troubleshoot, if not, then there is a good chance Sophos, at least on it's own is not to blame.

    The Sophos Home version of Sophos has the same web protection/control features. The presented messages are slightly different but the underlying proxying is the same. You can get the free version from https://home.sophos.com.  You will need to remove your current security solution to install it I suspect but for troubleshooting that should be ok?

    TBH, based on this event at the same time:
    daemon.warn kernel: webipqd/1558: potentially unexpected fatal signal 11.
    ...it sounds like a bug in the router as a client should not be able to bring down the service whatever traffic is thrown at it.  

    I've tried to find out more about what this webipqd service is and this link is about as much as I can find other than just entries in boot logs.
    https://support.aa.net.uk/VMG1312:_Parental_Controls
    Correlating this with the info here: https://internethelp.centurylink.com/internethelp/modem-c1100z.html, I assume it falls under the "Blocking/Filtering" config in the Advanced section. 
    Maybe this is all off on your device but the service is still invoked?  Do you have these options enabled/configured?  Maybe you can disable them/restore to defaults if so.  The fact you say you've had a replaced device, it seems like this is all default but is it enabled if not configured?

    As a rough guide to what is happening on Windows 10 for example, at least from the Sophos side.  The browser process traffic is redirected using WFP to an out of process proxy process called swi_fc.exe. It is this process that makes the connection out rather than the browser.  If visiting CNN brings up a website blocked message then that sounds like the Sophos Web Control features kicking in rather than say web protection but that doesn't really matter as the same stuff is going on for both it's just really classification of the sites as being malicious vs control. For example, the admins may have chosen to block a category of site, let's say adverts for example.  

    So the HTTP and HTTPS requests are taking place for CNN, swi_fc.exe is examining the request headers to extract the addresses etc.  For SSL, then it's the SNI (https://en.wikipedia.org/wiki/Server_Name_Indication) in the handshake that is used as there is no cracking of HTTPS done on the client.  In either case the URL/IP is obtained.  At which point the swi_service process can make a cloud (SXL) lookup to classify the site.  This is by default a HTTP lookup but if that's not working for any reason it can fall back to DNS.  Given the response information, the swi_fc.exe process can make a decision on if to block/warn allow the site.  

    If you say the issue is started by the first block page and not before, all previous requests that don't end in a block/warn are going through all of the above processes.  I.e. additional requests are being made to Sophos infrastructure and the proxy is waiting for a response to make a decision.  To simplify the test case to provoke the issue and learn a little more you could try using http://www.sophostest.com. This site can be used to see what categories are being blocked.  Do you see the same issue start with a HTTP block on categorisation?  Does it need to be content served over HTTPS that is blocked for the issue to start?

    I can't think why the router would choke here based on what's going on at the client.  It would be interesting to enable some logging from the client hence using another computer if possible.

    Regards,

    Jak