Strange DNS behaviour - 53/udp blocked by Sophos

Hello

At first my DNS setup:

  • I have Sophos UTM 9.603-1
  • DynDNS is configured
  • The DNS feature is configured for internal and VPN networks
    • I setup OpenDNS servers as Forwarders
    • No special routes configured
    • Internal DNS resolution works from all networks
  • Internal networks are allowed to access the Internet by any protocol
  • Network traffic to the internet from internal networks is Nat-ed
  • One of my VMs is a DNS server
    • Nameservers of my domain point to my DynDNS addresses
    • DNAT is configured tp forward incoming traffic on 53/udp from the internet to my DNS server VM
      • I had to configure DNAT to translate 53/udp to some other port (54/udp) because otherwise the DNS queries would have gone lost in my Sophos
    • Firewall rule is configured to allow the Nat-ed traffic
      • This configuration works - DNS request reach my VM and are beeing answered correctly

I can live with my DNAT workaround using 54/udp, but I got a second issue.

This configuration works - DNS request reach my VM and are beeing answered correctly
When I want to query DNS from one of my hosts in the internal networks directly to some DNS servers (for example with "nslookup - 8.8.8.8") in the internet, this traffic go to my Sophos and there it is not beeing forwarded to the specified DNS server but is dropped instead. In the Live-Log I can see that the DNS queries are beeing recieved but they are not being blocked (red).

Does anyone have an idea what I can do to fix this? Do you need any further information, details, logs?

Thank you in advance, Nando.

  • See if I understand this correctly:

    • You have a single public IP address
    • You want to accept DNS queries from the internet
    • You want those DNS queries to go internal to a server other than UTM
    • You also want UTM to function as a DNS server

    I would do everything in my power to avoid inbound internet connections, including DNS.

    This is my theory on the problem:  The client PC's outbound query is sent to Google, and the reply is natted to your internal DNS server, which drops the answer because it never asked a question.

    You might have a workable solution is you dropped the port translation and then disabled DNS on UTM.   

    There are other (better) options if you obtain a second IP address.

  • In reply to DouglasFoster:

    • Yes, I have a single public IP address
    • Yes, I accept DNS queries from the internet
    • Exactly, those queries go to another server
    • Yes, my UTM also servers as DNS server

    Unfortunately I cannot confirm your theory. I have sniffed the traffic and the packe is not beeing sent out to google at all. For this I usually spawn tcpdump capturing on any interface as root on the Sophos piping the results to my Wireshark running on my Windows host:

    echo off
    "C:\Program Files (x86)\WinSCP\PuTTY\plink.exe" -ssh -i "D:\id_rsa.ppk" root@192.168.15.254 "tcpdump -i any not port 22 -s 0 -w - " | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

    192.168.15.254 is the address of my Sophos in one of my internal networks. With this I can verify without any doubt, that the package has been received by the Sophos UTM but has not been routed to 8.8.8.8 I also deleted my ingoing DNS DNAT and the related Firewall Rule completely. Same result. DNS queries from the internal network directly to a DNS server in the internet are beeing dropped by my Sophos.

    I would assume there is some corrupted iptables chain or something like this, that blocks that traffic, but I've got no idea how to identify this. Is there maybe a log that could help me figuring out, what my Sophos is doing?

    Please help me to find a solution. This is really annoying for some network debugging and other things. If you have any idea how to figure out what exactly the issue is, tell me!

  • Any ideas what I could do to fix this?

  • In reply to Nando Neck:

    Hallo Nando and welcome to the UTM Community!

    "Same result. DNS queries from the internal network directly to a DNS server in the internet are beeing dropped by my Sophos."

    Please show the line from the log where you saw this.  Consider doing #1 in Rulz (last updated 2019-04-17).

    Cheers - Bob