We'd love to hear about it! Click here to go to the product suggestion community
At first my DNS setup:
I can live with my DNAT workaround using 54/udp, but I got a second issue.
This configuration works - DNS request reach my VM and are beeing answered correctlyWhen I want to query DNS from one of my hosts in the internal networks directly to some DNS servers (for example with "nslookup - 18.104.22.168") in the internet, this traffic go to my Sophos and there it is not beeing forwarded to the specified DNS server but is dropped instead. In the Live-Log I can see that the DNS queries are beeing recieved but they are not being blocked (red).Does anyone have an idea what I can do to fix this? Do you need any further information, details, logs?Thank you in advance, Nando.
See if I understand this correctly:
I would do everything in my power to avoid inbound internet connections, including DNS.
This is my theory on the problem: The client PC's outbound query is sent to Google, and the reply is natted to your internal DNS server, which drops the answer because it never asked a question.
You might have a workable solution is you dropped the port translation and then disabled DNS on UTM.
There are other (better) options if you obtain a second IP address.
In reply to DouglasFoster:
Unfortunately I cannot confirm your theory. I have sniffed the traffic and the packe is not beeing sent out to google at all. For this I usually spawn tcpdump capturing on any interface as root on the Sophos piping the results to my Wireshark running on my Windows host:
echo off"C:\Program Files (x86)\WinSCP\PuTTY\plink.exe" -ssh -i "D:\id_rsa.ppk" firstname.lastname@example.org "tcpdump -i any not port 22 -s 0 -w - " | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
192.168.15.254 is the address of my Sophos in one of my internal networks. With this I can verify without any doubt, that the package has been received by the Sophos UTM but has not been routed to 22.214.171.124 I also deleted my ingoing DNS DNAT and the related Firewall Rule completely. Same result. DNS queries from the internal network directly to a DNS server in the internet are beeing dropped by my Sophos.
I would assume there is some corrupted iptables chain or something like this, that blocks that traffic, but I've got no idea how to identify this. Is there maybe a log that could help me figuring out, what my Sophos is doing?
Please help me to find a solution. This is really annoying for some network debugging and other things. If you have any idea how to figure out what exactly the issue is, tell me!
Any ideas what I could do to fix this?
In reply to Nando Neck:
Hallo Nando and welcome to the UTM Community!
"Same result. DNS queries from the internal network directly to a DNS server in the internet are beeing dropped by my Sophos."
Please show the line from the log where you saw this. Consider doing #1 in Rulz (last updated 2019-04-17).
Cheers - Bob