This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS lookup fails on domain controller

Hi All,

I'm having a strange issue with DNS on our domain controllers and can't for the life of me figure out what is going on.

Some background, this is a setup we inherited and the VLAN which contained our domain controllers and other servers was controller by another firewall until recently. To simplify the network we have migrated the VLAN to sit behind our Sophos SG125 UTM9. Since then the DNS issues started.

I have an allow firewall rule in place which is as follows

DCs -> DNS - > internet

and have OpenDNS configured as forwarders in the DNS server.

If i try to do an NSLookup on the server i get a DNS timeout but the log on the firewall does show that the requests are processed by the rule and allowed. To confirm this i added a test PC to the rule and tried NSlookup from there and it worked. The PC is on another VLAN so at this point i'm thinking something in the firewall is intercepting the return packets from OpenDNS if the requesting device is on the server VLAN. Is there anywhere in the appliance i can see if it is receiving return traffic?

We have the network working some fashion at the moment by setting the DNS server to use the firewall as a forwarder and adding the server VLAN to the "Allowed Networks" lists under network services -> DNS. We would prefer not to continue with this setup and getting working as it was before.

Any help or ideas would be appreciated.

Thanks,

Andrew



This thread was automatically locked due to age.
  • Hi Temples90,

    have you configured the masquerading rule for the vlan where the servers belong.
    Without this rule the firewall log says ok but no traffic could go outside with this.

    Best Regards
    DKKDG

  • Hi DKKDG,

    Thanks for coming back to me.

    I have checked the firewall and there is no masquerading rule for this VLAN. I have added one and the lookups now appear to be working  (at least from NSLookup in command prompt). As the network is in use at the moment i can't make the changes to the forwarders on in the DNS service on the server but have arranged to do so at the end of the day and i'll let you know how i get on.

    Forgive my ignorance, i am fairly new to using Sophos appliances, but why would not having the masquerading rule cause this issue? The machines have internet access and when i do a what is my IP i get the address i expected. Just interested to know so i don't make the same mistake again.

    Thanks,

    Andrew

  • Hi Temples90,

    the masquerading rule is for direct internet access.(PAT) no proxy use -> Internal network to external address.

    If you use a proxy on your DNS servers you can access the internet without masquerading because the proxy has the direct access.
    But nslookup do not use the proxy so you need the masq rule for this.

    Best Regards
    DKKDG

  • Hi DKKDG,

    Thanks for the explanation. It make perfect sense now!

    I changed all the required setting last night after the office shut and it is all working perfectly now.

    Thank you for your help, it is much appreciated.

    Regards,

    Andrew

  • Hi Andrew and welcome to the UTM Community!

    To get a better understanding of all this, check out #2 in Rulz. Also see Doug Foster's take on some of this: READ ME FIRST: UTM Architecture.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA