This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS service: No currently assigned DNS forwarders - never ever

Running UTM 9.510-4 but this is not a new one. No matter what I enter into the forwarders field or even nothing or activate ISP forwarders, there are always no forwarders assigned. I found and followed the DNS best practice in the forum, but no change. AFAIK the root servers will be then used and they are usually slow.

Any ideas how to solve that?



This thread was automatically locked due to age.
Parents
  • Your question is not really clear to me, but you seem to have problems with DNS resolution.

    How is your DNS configured from the workstations view? Do they point to the UTM as DNS-server or to something else? What exactly goes wrong when you say that forwarders are not working?

    Maybe you can show us some pictures of your UTM DNS configration.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • apijnappels said:

    Your question is not really clear to me, but you seem to have problems with DNS resolution.

    How is your DNS configured from the workstations view? Do they point to the UTM as DNS-server or to something else? What exactly goes wrong when you say that forwarders are not working?

    Maybe you can show us some pictures of your UTM DNS configration.

     

    The workstations use our internal DNS servers in the AD and those internal DNS servers use the UTM as a forwarder. I believe this is the usual way and so I didn't explain that more precise. My bad.
     
    A part of the DNS logfile:
     
     
    2018:08:06-19:09:21 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (199.9.14.201) missing from hints
    2018:08:06-19:09:21 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (192.228.79.201) extra record in hints
    2018:08:06-19:09:33 mail named[5218]: resolver priming query complete
    2018:08:06-19:09:33 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (199.9.14.201) missing from hints
    2018:08:06-19:09:33 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (192.228.79.201) extra record in hints
    2018:08:06-19:10:05 mail named[5218]: resolver priming query complete
    2018:08:06-19:10:05 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (199.9.14.201) missing from hints
    2018:08:06-19:10:05 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (192.228.79.201) extra record in hints
    2018:08:06-19:10:07 mail named[5218]: resolver priming query complete
    2018:08:06-19:10:07 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (199.9.14.201) missing from hints
    2018:08:06-19:10:07 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (192.228.79.201) extra record in hints
    2018:08:06-19:10:08 mail named[5218]: resolver priming query complete
    2018:08:06-19:10:08 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (199.9.14.201) missing from hints
    2018:08:06-19:10:08 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (192.228.79.201) extra record in hints
    2018:08:06-19:10:09 mail named[5218]: resolver priming query complete
    2018:08:06-19:10:09 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (199.9.14.201) missing from hints
    2018:08:06-19:10:09 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (192.228.79.201) extra record in hints
    2018:08:06-19:10:10 mail named[5218]: resolver priming query complete
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (199.9.14.201) missing from hints
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: b.root-servers.net/A (192.228.79.201) extra record in hints
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: h.root-servers.net/A (198.97.190.53) missing from hints
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: h.root-servers.net/A (128.63.2.53) extra record in hints
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: h.root-servers.net/AAAA (2001:500:1::53) missing from hints
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: h.root-servers.net/AAAA (2001:500:1::803f:235) extra record in hints
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: l.root-servers.net/AAAA (2001:500:9f::42) missing from hints
    2018:08:06-19:10:10 mail named[5218]: checkhints: view norpz: l.root-servers.net/AAAA (2001:500:3::42) extra record in hints
     
     
    And so on, all day long. I cannot find any query to the configured DNS servers, I use OpenDNS, Google and the servers from our provider in the DNS forwarders field. To me this log looks like it only uses root servers.
     
  • Your AD DNS server is using root hints, this is integral, and may have an issue.

    Ensure that your DNS servers have the UTM as the forwarder, and turn off root hints (this is on the DNS Server(s) within AD).

    then on the UTM, add in cloud-flare & google as DNS forwarders on and check the DNSSEC box (google & cloud-flare are both DNSSEC compliant), this should calm things down a bit.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Reply
  • Your AD DNS server is using root hints, this is integral, and may have an issue.

    Ensure that your DNS servers have the UTM as the forwarder, and turn off root hints (this is on the DNS Server(s) within AD).

    then on the UTM, add in cloud-flare & google as DNS forwarders on and check the DNSSEC box (google & cloud-flare are both DNSSEC compliant), this should calm things down a bit.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Children
  • Unknown said:

    Your AD DNS server is using root hints, this is integral, and may have an issue.

    Ensure that your DNS servers have the UTM as the forwarder, and turn off root hints (this is on the DNS Server(s) within AD). 

    then on the UTM, add in cloud-flare & google as DNS forwarders on

    Done that and the root queries are gone.

    Unknown said:
    and check the DNSSEC box (google & cloud-flare are both DNSSEC compliant), this should calm things down a bit.

    Activating DNSSEC leads to errors when internal DNS servers are forwarding queries to the UTM, so I've deactivated that. All in all DNS runs ok, thanks for all your help.

     

    But below the DNS forwarders list I still can read

    Currently assigned forwarders:   none

    Should there appear a list of assigned DNS forwarders or is that just a cosmetic issue?

  • 'Currently assigned forwarders: none' is because 'Use forwarders assigned by ISP' is not selected, so there are "none" to show! ;-)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    'Currently assigned forwarders: none' is because 'Use forwarders assigned by ISP' is not selected, so there are "none" to show! ;-)

    Cheers - Bob

    A-ha. Thanks for clarifying, Bob. :) But even if I activate "Use forwarders assigned..." my UTM never shows any. That's what I asked. Probably the machine don't like my ISP's DNS servers but I can live with that.

  • Hi gsxfan,

    what kind of external interface do you have?

    Is it an ethenet dchp or pppoe interface?

    You get this dns information via pppoe or dhcp.

    Otherwise you don't have there any forwarders defined and must define them by yourself.

    Best Regards

    DKKDG

  • DKKDG said:
    Hi gsxfan,

    what kind of external interface do you have?

    Is it an ethenet dchp or pppoe interface?

    You get this dns information via pppoe or dhcp.

    Otherwise you don't have there any forwarders defined and must define them by yourself.

    Best Regards

    DKKDG

    That's it. The ext IF is neither a DHCP nor a PPOE IF, it is an ethernet IF with a fixed IP. I didn't know that it makes a difference. Thanks for letting me know.