This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Packets dropped

Hello,

I have a strange issue. I see thousands of dropped packets on 53 port. We have an internal DNS server that uses my UTM DNS Server as forwarder. Dropped packets are sent from internal DNS server (192.168.x.x) to UTM address on internal interface (192.168.x.y). UTM successfully accepts dns requests from internal network, all seems to work fine.

UTM uses Google DNS Server as forwarders (8.8.8.8 and 8.8.4.4).

10:29:49 Default DROP DNS 192.168.X.X : 53 → 192.168.X.Y : 41329 len=85 ttl=128 tos=0x00 srcmac=34:40:b5:92:03:aa dstmac=00:1a:8c:58:8f:fa
10:29:49 Default DROP DNS 192.168.X.X : 53 → 192.168.X.Y : 52094 len=85 ttl=128 tos=0x00 srcmac=34:40:b5:92:03:aa dstmac=00:1a:8c:58:8f:fa
10:29:49 Default DROP DNS 192.168.X.X : 53 → 192.168.X.Y : 59460 len=85 ttl=128 tos=0x00 srcmac=34:40:b5:92:03:aa dstmac=00:1a:8c:58:8f:fa
10:29:49 Default DROP DNS 192.168.X.X : 53 → 192.168.X.Y : 60055 len=85 ttl=128 tos=0x00 srcmac=34:40:b5:92:03:aa dstmac=00:1a:8c:58:8f:fa
10:29:49 Default DROP DNS 8.8.8.8 : 53 → WAN_ADDRESS : 6120 len=191 ttl=49 tos=0x00 srcmac=d0:d0:fd:cd:11:ca dstmac=00:1a:8c:58:8f:fb

I really don't understand why these packets are dropped. All seems to work fine... Does anyone could suggest a reason/solution?

Thanks

This thread was automatically locked due to age.

0 Eric Barry over 7 years ago

Does your firewall rule allow for dns to any ipv4 address?
Cancel
Vote Up 0 Vote Down

Cancel
0 David Gilmour over 7 years ago in reply to Eric Barry

Yes, it has... FROM Internal (NETWORK) To ANY - DNS Service... In fact I can use external dns servers (ie google) in my clients, instead of using 192.168.x.y... and it works....
Cancel
Vote Up 0 Vote Down

Cancel
0 David Gilmour over 7 years ago in reply to David Gilmour

mmm... but these packets are coming FROM 53port, not directed TO port 53...
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago

Hi David,

Any catch in the packetfilter.log ?

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 7 years ago

I've been fighting DNS issues for a while now, and I can confirm the same issue in the logs when it's not working.

All internal clients point to 2 active directory dns servers, and those two servers have a forwarder to the UTM. Under allowed networks, I've got both my internal DNS servers listed. Under the forwarders tab I've got Google DNS and my ISP's DNS listed. For the UTM reports I've also got the request routing setup.

It's totally random, I can open a command prompt on my PC and do a nslookup google.ca. Most of the time it works, when it doesn't the same lines are listed in the firewall log

/var/log/packetfilter.log:2016:12:20-12:53:38 sophosutm ulogd[31970]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="78:2b:cb:5b:7a:39" dstmac="00:1a:8c:58:c8:a6" srcip="192.168.50.10" dstip="192.168.50.1" proto="17" length="72" tos="0x00" prec="0x00" ttl="128" srcport="59630" dstport="53"

Above is Primary AD DNS server 192.168.50.10 and the UTM sitting at 192.168.50.1

Yet, I can do the same nslookup moments later and it works fine. No drops in the log.

My firewall rule for this is:

Source(Network Group containing both AD DNS servers) Services(Group containing DNS and NTP) Destination ANY ---> Allowed

This was also the case when I had my ISP forwarders setup on my internal server, no UTM performing the external lookups. Lookups would timeout, and the corresponding drop in the log.
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to rsenio

Hi,

In the packet filter logfile, fwrule="60001" means that the packet is dropped in the input chain of IP table. Do you have any DNAT rule for DNS services and check for Interface Binding, that the source and destination port are correct, that you are matching the correct procotol (TCP, UDP, Both), and that the IP addresses are correct.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 7 years ago in reply to sachingurung

Definitely none of those. Like I said, it appears to be random. Lookups fail one minute, work fine the next.

I've removed the internal DNS servers from the "Allowed Networks" DNS and applied the setting. I then re-added them again, and applied. I also did the same for the firewall rule I had created, I'll continue to monitor it.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to rsenio

Was this resolved by resetting the content of 'Allowed Networks' as you described? It sounds like you're close to DNS best practice, so I can't guess what might have caused this.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 7 years ago in reply to BAlfson

So far, although this was one strange problem. I could test nslookups once a day for a week, and they'd be fine. Then another day they would fail. It hasn't crapped out since my last post, so I'm hopeful!
Cancel
Vote Up 0 Vote Down

Cancel