PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
we have configured the UTM (9.355-1) DNS according to "DNS best practice" by Bob Alfson and KB https://www.sophos.com/de-de/support/knowledgebase/120283.aspx.
The DNSSEC option in the UTM DNS Proxy/Forwarder is on and did not give us problems since 2013.
But now, something strange happens:
If we try to access "sharepoint.com" or "companyname-my.sharepoint.com" we get a "Host not found" error as long as DNSSEC is activated.
I have tested this on two different Environments over different ISPs and It seems like it does only affect this domain.
We'd like to keep the option enabled, because we still have some older ISP-Routers in front of the UTM for failover reasons and cache poisoning is not out of question.
Maybe someone could test this?
Or is the DNSSEC implementation of the UTM DNS Proxy worthless as it used to be with some typical older router Firmwares?
HP, can you get a case opened with Sophos Support on this? I've been hesitant to use DNSSEC because I was afraid of running into a problem like the one you describe. I bet you have found a subtle bug.
Cheers - Bob
In reply to BAlfson:
thanks for the insight! I've also been hesitant at first, but after having tested it for some months in my lab without any obvious problems I've also switched it on in production Environment.
This is the first problem we've encountered with it (at least I think so).
We'll open a case with Sophos and post about the outcome here!
Same problem here unfortunately this makes us switch off DNSSEC again.
There is a problem in the CNAME redirections to all the different (sub)domains as you can find out by visiting: http://dnssec-debugger.verisignlabs.com/
Looks like Google public DNS skips these checks, whereas Sophos UTM doesn't seem to be able to skip DNSSEC for particular zones....
In reply to apijnappels:
I didn't post any updates anymore because we've tried to get Sophos support involved into this matter.
What should I say: they didn't have a clue about the DNSSEC option. WE had to explain THEM for what it's actually used...
As a consequence we had to turn it off because of the problem with the "-my.sharepoint.com" subdomains.
Salesforce has disable the TLS 1.0 encryption protocol from 4th march
Can you test https://tls1test.salesforce.com/s/ with browser ,r u using old browser
google -> salesforce tls 1.0
In reply to HanspeterHolzer:
Problem is with all *.sharepoint.com not just -my.sharepoint.com....
Even more pitty is that I have Google public DNS as a forwarder configured on the UTM, but still the UTM seems to be going to the root-domains since Google doesn't resolve false DNSSEC records and still I do get them now while UTM "should" only go to Google public DNS...
I stumbled on this thread while wondering whether to enable DNS SEC or not.
This is my understanding of the problem:
I think we can roll our own exception process:
Unfortunately, users need to experience problems before the need for exceptions can be identified.
It may also be difficult to know that the problem is with DNS SEC and not with a host that is down or not reachable.
Does anyone have operating experience with the bandwidth impact when switching from weak DNS to DNS SEC? I have been reluctant to switch because of network load concerns.