DNS - DNSSEC vs. sharepoint.com over Google Public DNS leads to "Host not found" error

Hello,

we have configured the UTM (9.355-1) DNS according to "DNS best practice" by Bob Alfson and KB https://www.sophos.com/de-de/support/knowledgebase/120283.aspx.

The DNSSEC option in the UTM DNS Proxy/Forwarder is on and did not give us problems since 2013.

But now, something strange happens:

If we try to access "sharepoint.com" or "companyname-my.sharepoint.com" we get a "Host not found" error as long as DNSSEC is activated.

I have tested this on two different Environments over different ISPs and It seems like it does only affect this domain.

We'd like to keep the option enabled, because we still have some older ISP-Routers in front of the UTM for failover reasons and cache poisoning is not out of question.

Maybe someone could test this?

Or is the DNSSEC implementation of the UTM DNS Proxy worthless as it used to be with some typical older router Firmwares?

Best Regards,

HP

  • HP, can you get a case opened with Sophos Support on this?  I've been hesitant to use DNSSEC because I was afraid of running into a problem like the one you describe.  I bet you have found a subtle bug.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

    thanks for the insight! I've also been hesitant at first, but after having tested it for some months in my lab without any obvious problems I've also switched it on in production Environment.

    This is the first problem we've encountered with it (at least I think so).

    We'll open a case with Sophos and post about the outcome here!

    Best regards,

    HP

  • Same problem here unfortunately this makes us switch off DNSSEC again.

    There is a problem in the CNAME redirections to all the different (sub)domains as you can find out by visiting: http://dnssec-debugger.verisignlabs.com/

     

    Looks like Google public DNS skips these checks, whereas Sophos UTM doesn't seem to be able to skip DNSSEC for particular zones....

  • In reply to apijnappels:

    Hello @apijnappels!

    I didn't post any updates anymore because we've tried to get Sophos support involved into this matter.

    What should I say: they didn't have a clue about the DNSSEC option. WE had to explain THEM for what it's actually used...

    As a consequence we had to turn it off because of the problem with the "-my.sharepoint.com" subdomains.

    Best regards,

    HP

  • Hello ,

     

    Salesforce has disable the TLS 1.0 encryption protocol  from 4th march

    Can you test https://tls1test.salesforce.com/s/ with browser ,r u using old browser

    google -> salesforce tls 1.0

  • In reply to HanspeterHolzer:

    Problem is with all *.sharepoint.com not just -my.sharepoint.com....

    Even more pitty is that I have Google public DNS as a forwarder configured on the UTM, but still the UTM seems to be going to the root-domains since Google doesn't resolve false DNSSEC records and still I do get them now while UTM "should" only go to Google public DNS...

  • In reply to apijnappels:

    I stumbled on this thread while wondering whether to enable DNS SEC or not.

    Exception process

    This is my understanding of the problem:

    • UTM DNS SEC enforcement works perfectly.
    • However at least some domain owners have not implemented their DNS SEC configuration perfectly.
    • We have no control over domain owner mistakes
    • UTM has no options for configuring DNS SEC exceptions
    • Therefore if I will ever need a DNS SEC exception for at least one domain, UTM DNS SEC appears to be unusable for any domain.

    I think we can roll our own exception process:

    • Assume the problem DNS entry is "something.example.com", so we need to exempt *.example.com
    • Assume that you have an internal DNS server, such as Active Directory, which provides internal DNS without DNS SEC enforcement, and relays to UTM (with DNS SEC enabled) for enforcement of external addresses.
    • Configure a conditional forwarder in Active Directory to send *.example.com directly to an external DNS service such as google at 8.8.8.8, bypassing UTM
    • Configure a conditional forwarder in UTM to send *.example.com to the Active Directory server, which should prevent UTM from detecting DNS SEC features for the example.com domain.
    • Repeat as needed when additional problem domains are detected.

    Unfortunately, users need to experience problems before the need for exceptions can be identified.

    It may also be difficult to know that the problem is with DNS SEC and not with a host that is down or not reachable.

    Bandwidth Issues

    Does anyone have operating experience with the bandwidth impact when switching from weak DNS to DNS SEC?   I have been reluctant to switch because of network load concerns.