Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I am struggling is with Hostname/FQDN/DNS. I have read just about every thread with any of those words in the subject (including the zeroth rule and the DNS Best Practice thread) and I am not making any progress. I have a DynDNS account and I have set up the account in Network Services -> DNS - > DynDNS tab and it is correctly updating my dynamic public IP. I am able to ping my domain, but not the Sophos box. According to the instructions at Management -> System Settings -> Hostname tab:
My DynDNS hostname is "xxxx.is-a-geek.net" so in the Hostname field I entered "sophos.xxxx.is-a-geek.net". That make this the FQDN, right? I can ping 'xxxx.is-a-geek.net' and get a reply, but when I add 'sophos', I get 'ping request could not find sophos.xxxx.is-a-geek.net'. What else do I need to do in order to reach the FQDN?
Ultimately, I want to be able to use hostnames inside of my network to identify devices rather than the IP address, but I need to get all this hostname/fqdn/dns stuff sorted out first - it is the zeroeth rule after all.
In case it matters, my hardware is such:
I have some other questions about allowing/blocking traffic across these interfaces, but first the hostname thing needs fixed as I believe that I need that correct in order to be able to troubleshoot further configuration.
Thank you in advance for your assistance.
A little more about my setup as it applies to the DNS Best Practice thread:
Sorry if this is a little scattered, but I think I may be in a little over my head and I am simply trying to explain everything to the best of my ability.
the second hostname you want ping does not exist because there is no entry by your dnydns provider and your UTM does not create this entry.
Your UTM hostname is xxxx.is-a-geek.net and not sophos.xxxx.is-a-geek.net.If you want to use this name you have to create this dns entry at your dyndns provider.
For the dns best practice guide you can keep in mind the following order
- Clients ask internal DNS servers- DNS server asks UTM dns- UTM asks your prefered external DNS servers (shown in your last picture)
Also if you tick "Use forwarders assigned by ISP" your defined DNS Servers under forwarders will not be used by the UTM.The google DNS Servers are only an recommendation.
In reply to DKKDG:
Hello DKKDG and thank you for the response. I apologize for my lack of basic understanding regarding DNS and Hostnames, but I learn better from doing than from reading. I have read until my eyes are ready to fall out and obviously still have issues.
So, for the sofos box, the Hostname is whatever my domain is that I have set up with DynDNS that I have pointing to my public IP. What about the hostname field on the Advanced tab of Edit Interface? Do I give each interface a different Hostname? If so, is it just any name or is it an extension of the FQDN? Like interface1.xxxx.is-a-geek.net, interface2.xxxx.is-a-geek.net, etc?
I also have various devices on my network for which I have created Network Definitions. On the DNS Settings tab of Edit Network Definition there is a place for a hostname. What is best practice here?
Are there other places where I need to apply specific naming conventions for 'host' or hostname fields?
Again, I apologize for the basic level of questioning and I greatly appreciate your response.
In reply to Don Fisher1:
If you check the help for Edit Interface, Don, you will find "If your ISP requires to receive the hostname of your system, enter it here." None of my clients in the US has needed that.
Likewise, for the DNS Settings in a Host definition, you will find "(optional): If you do not want to set up your own DNS server but need static DNS mappings for a few hosts of your network, you can enter these mappings in this section of the respective hosts. Note that this only scales for a limited number of hosts and is by no means intended as a replacement of a fully operable DNS server."
The Help button is the ? in the blue dot on the right at the top of the page.
If you have your own, separate DNS server, you will want to read the help about DNS Hosts and DNS Groups.
Cheers - Bob
In reply to BAlfson:
Hello Bob and thank you for your response. Your dedication to this forum is impressive.
I have read that section of the help file (and many other sections) a dozen times probably, but it is not providing me with much insight. I did set the hostname on the External Interface, but like you, I do not think I needed it. I have 3 internal interfaces (and 2 more that I will likely implement later) and that is where my question lies. Each of these interfaces provide DHCP and are included in DNS. Should they also have a Hostname? Does it matter for DNS purposes or any purpose for that matter?
I am trying to get solid internal DNS, so I am following DNS Best Practice (here https://community.sophos.com/kb/en-us/120283) and that is where I am falling down. When I get to Request Routing and Reverse DNS, I get stuck. I click to add a new Route and the form I am presented with is asking for a Domain. Is this the FQDN from my DynDNS? The help file says 'Enter the domain for which you want to use an alternate DNS server'. Is my internal DNS an 'alternate' DNS server and the ISP DNS servers the primary? Additionally, when I try to add what I believe to be the DNS server to the Request Route as a Target Server, I am unable to drag the intended Network into that box. When I try, it does not stay, like it is an illegal operation or something. Do I need to create a new Network Definition to accomplish this? If so, what kind? If is is of the type 'Network', why do I have to redefine it when it is already defined? Also, if I have to define it once again, what name should I give it? Does it matter?
I feel like I should be able to just guess at some of this and be able to figure out if I guessed correctly or not, but that is not the case. I keep guessing and I am not able to make it work.
The Zeroeth Rule only has to do with one thing, Don - the Hostname given to the UTM when you first install it. If the Hostname in 'System Settings' isn't your correct FQDN, The Zeroeth tells you how to correct that.
What is your local domain name?
That KnowledgeBase article was copied from an old version of my DNS best practice post. I've maintained that many times since then, so it's the place to go to understand best practice.
Request Routes are for information on your internal DNS server. If the UTM were doing your internal DNS, you wouldn't need any Request Routes. Nothing to do with your DynDNS domain will appear in a Request Route. There are some special-use cases for Request Routes, but it's unlikely you will encounter one. The target for a Request Route must be a Network Host object, not any other Network object type, so it sounds like you need to delete that object and replace it with a Host.
I would rename the object to "_ delete me" and then press on the blue button beside "_ delete me" in 'Network Definitions' so that you can see where you need to replace it with your new definition. Once the replacements are finished, delete the "_ delete me" object.
Bob, I do not have a local domain, only the domain that I get from DynDNS. Do I need a local domain? Would it be different from Dyn?
"Request Routes are for information on your internal DNS server. If the UTM were doing your internal DNS, you wouldn't need any Request Routes. Nothing to do with your DynDNS domain will appear in a Request Route." - I have internal DNS set up for all of my networks, so I will assume from your statement that I do not need Request Routes?
When I say that I am unable to drag my network object into the New Request Route, here is a screenshot:
If I let go, it sends the object back to the sidebar. This may all be academic since you are saying that I will not need Request Routes, but I would like to understand it better if you don't mind explaining.
Aside from Request Routes, what else do I need to do to have my DNS set properly?
As I said above, Don, "The target for a Request Route must be a Network Host object, not any other Network object type." WebAdmin prevents many incorrect configurations.
If you don't have a local domain, you might want to adopt fisher.loc internally, for example. Then, in a Host definition, you could fill in a hostname like "laptop-don.fisher.loc" and complete the DHCP section so that the DHCP server always assigns your laptop the same IP.
Thanks Bob. When you say 'adopt fisher.loc internally', do you mean just use something like that any time that I make a host definition or is there somewhere to actually set a local domain?
You can set a local domain in 'Remote Access >>Advanced', Don, and also in a DHCP Server definition.
Hola, san here
Could you please provide me possible explanations why loading of webpage using FQDN is much much faster than
loading of webpage using DN ?
In reply to DyraSan t:
Namaste San and welcome to the UTM Community!
That depends on your DNS configuration and your WINS configuration. This might be more of a Windows issue than a UTM issue, but you might show us the relevant lines from the Web Filtering log for a "fast" and a "slow" load.