DNS Group not releasing IP(s)

Is this a question related to authentication for Web Filtering?

How many Macs are we talking about?

Cheers - Bob

Hey Bob, no, the authentication is working fine, however because we use these 'DNS Group' objects to reference which machines need to be doing the authentication, whenever a device goes off the network for more than a week their IP becomes available again for another computer and inevitably one picks it up, then it can't get out because the UTM still thinks it requires the Agent as that IP is still on that other computers 'DNS Group' record.   What I need it to do is release the IP from the 'DNS Group' once the DNS record is no longer resolvable, but this doesn't happen.   For instance, if you create a new 'DNS Group' record which points to a DNS name that doesn't currently exist, it shows the record as 'unresolved', until said DNS record shows up.    But then it doesn't return to 'unresolved' after the DNS record goes away (which happens about a week after the machine stop communicating with our network).

At this point I just need to do know if this is 'normal' behavior.  If so, I'll come up with another solution that doesn't involve the DNS Group definition.

Thanks!

I agree that you will want to choose a different solution - probably reservations in the Windows DHCP servers.

Still, this sounds like a question that might better fit the Web Filtering forum.

Cheers - Bob

Thanks Bob, reserving the IP's for those specific computers that require the Agent was probably going to be my next plan.  

I'm still not sure how the Web Filtering forum would help, the issue I'm describing is with the 'DNS Group' definitions.  Even if I was not doing anything with them related to Web Filtering, the issue still remains, they won't release their IP's and return to 'unresolved' after the record is removed from our DNS system.   If were using those DNS groups in a Firewall or NAT rule, that particular rule wouldn't work properly either as it would start applying to a completely different machine once the new computer came online and picked up the IP address that had been assigned to the original.  To me, this kind of defeats some of purpose of the 'DNS Group' Definition, in where it resolves a FQDN to an IP (or multiple IPs) dynamically and keeps it updated in case it moves.  I just need it to 'remove' it as well, if the resolution stop working. 

So far, the only way I've gotten the offending DNS Group records to return to 'unresolved' is to change the FQDN to something else, save, and change it back.

Thanks again!

I guess the UTM only removes the IPs once the TTL expires and the IPs are not renewed.  Changing the FQDN temporarily does that in effect.  Maybe a Windows server guru could tell you how to change the TTL of those assignments.

Cheers - Bob

I tried adjusting the TTL on the UTM for those records, even set it to one hour, and it still never gives them up.    I haven't officially confirmed yet, but it looks like it's possible that the 'DNS Host' definition actually does this properly, but the 'DNS Group' Definition does not.  I have to use 'DNS Group' because the computers can have multiple IPs assigned them (wired and wireless) and UTM needs to know about all of them.

I'm going to run a test and create two 'test' DNS records in our AD, then assign one to a 'DNS Host' definition and the other to a 'DNS Group' definition.   Once the UTM resolves them to the IP's, I'll then delete the DNS record out of AD and see if either of them give it up after the TTL expires (i'll set them both to an hour on the UTM).   I'll report back with the results.

Thanks!

Change the TTL n the UTM?  I don't understand how you could use DNS Groups with the UTM providing DHCP unless you use Static assignments with Host definitions - is that what you're doing, or is there Windows Server DHCP involved?

Cheers - Bob

The TTL I was referring to is the 'Timeout' value in the 'DNS Group' definition (see below).    Yes, we are using Windows DHCP, but that doesn't have anything to do with the UTM or it' ability to query and retain (or release) DNS lookup as part of the 'DNS Host' and 'DNS Group' definitions.

I created my two 'test' records in DNS and set them up on the UTM. (below) I just deleted the DNS records out of AD so now I'll wait and see when (if) they returned to 'unresolved'.

Well, I learned something today!  I've never seen that before and I find nothing about it in the documentation, the Help, the KnowledgeBase or here in the Community.  I've always thought that the TTLs were taken from the server that provides the IPs.

I looked at some DNS Host and Group objects at the command line - both have Timeout values.  The timeout parameter on the Host objects was 60 or 180.  For the DNS Group objects, it was mostly 86400 with a few 604800 values.  Those are not TTLs gotten from a name server.

cc get_objects network dns_group|grep \'timeout
cc get_objects network dns_host|grep \'timeout

I'll get a Sophos Support person to look at this thread and they'll likely get the documentation changed after letting us know what the heck "Timeout" means in this context.

Cheers - Bob

Thanks Bob!     I don't suppose you know of a log file somewhere in the CLI for when the system checks/updates the DNS Host and Group definitions?   I thought that might also give some insight as well.    Thanks again! 

Thanks Bob!     I don't suppose you know of a log file somewhere in the CLI for when the system checks/updates the DNS Host and Group definitions?   I thought that might also give some insight as well.    Thanks again! 

You can check the lookups at the command line with:

grep 'ref="REF_NetDns' /var/log/confd.log

Cheers - Bob