WebProtection can't resolve hostnames without domain suffix

If they're internal, you should bypass the proxy. Add them to the transparent mode skip list.

At the same time, add your domain suffix to Web Protection - Filtering Options - Misc --> Search domain

I've an VPN tunnel to an network with another DNS suffix. I added this suffix to "Network Services" -> "DNS" -> "Request Routing", and pointed to the DNS server of the other network so that the UTM knows, which DNS server it has to ask, when someone calls a URL with this suffix. But this is not working for HTTP request over the WebProtection proxy. I get an error "No route to host". I think the WebProtection proxy ask only the external DNS servers, not the internal or forwarded DNS servers.

You need to add the networks to the exception list of the WebProtection to solve this.

https://community.sophos.com/kb/en-us/115191 also

Probably wouldn't hurt to read some documentation before setting the UTM up

The article has nothing to do with the problem. There is no NAT and/or asynchron routing, because he tried to access an "internal" URL over a VPN tunnel, which has another DNS suffix as the own LAN. The problem seems to be, that the WebProtection proxy doesn't solve the DNS suffix of the VPN network, and it tried to solve it via the external DNS servers.

Maybe it works when he create a static DNS entry in the UTM with the DNS suffix of the VPN LAN.

Chris, is this the three company situation?  Did you configure according to my discussion on your first thread?

I'm a little confused by your problem here.  In Transparent mode, it's the client that does the DNS query, not the UTM, so I don't understand how the DNS problem could be involved with the UTM.  Please show us a picture of the error and show the line in the Web Filtering log file related to the URL that gave rise to the error.

Cheers - Bob

Jas man, how does your configuration differ from DNS best practice?

Please show the line from the Web Filtering log related to this problem.

Cheers - Bob

Hi Chris,

Use request routing when you want the UTM to route the DNS queries to an internal DNS server and when you do not want to set up your own DNS server but need a static DNS mapping for a few hosts of your network, you can enter these mappings.

Now, as per the Windows guide, you can use the advanced DNS settings only if you are not using Obtain DNS server address automatically on the General tab. I think the windows KBA here will also be handy for this purpose.

What confuses me here is that which hosts are you trying to access without DNS suffix; external or internal. Alongside, when you do a DNS query does that query reach on UTM, show us the http.log and packetfilter.log for the source IP address.

Finally, if you want the requests to be handled by the UTM as per my first para, make sure the windows system have their Primary DNS set to internal address of the UTM.

Thanks

Hi,

My DNS Setup on the internal network (windows servers & clients):
The internal windows clients use internal Windows DNS servers for lookup (let's call them dc01 & dc02). The forwarders on dc01 & dc02 are set to 8.8.8.8 and 8.8.4.4.
I also have 3 conditional providers. Those are the domains and dns servers of the other company where we connect to with a vpn-tunnel. This is proven to work since years.

On our sophos utm:

The DNS "Forwarders" on the UTM are pointing to our internal Windows DNS servers dc01 & dc02.
In "Request Routing" I also added those 3 external domains and the DNS servers. Basically this should be not necessary since dc01 & dc02 already know how to resolve domains from the external network but I added them just in case I have to change forwarders to external DNS server instead of our internal.

On our windows clients we have extra domain suffixes with those domains of the other company. This means if someone needs to resolve for example "hostxyz" the local DNS on the client adds all domain suffixes in order to this hostname and creates a FQDN. Those FQDNs are then resolvable with our internal DNS and/or the DNS of the other company.

I tried to activate WebProtection in transparent mode on sophos utm and had a look on the live-log. This entry represents a failed DNS lookup:

2017:02:21-20:35:25 sophos-sg210 httpproxy[7945]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.91.42" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2487" request="0xdf377000" url="http://intranet/" referer="" error="Host not found" authtime="0" dnstime="2" cattime="114" avscantime="0" fullreqtime="360" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized".

And this error I get in the browser window:

So even in transparent mode the WebProtection seems to work as a proxy and it seems to resolve hostnames using the defined DNS forwarders.

Chris, is the client at 192.168.91.42 in the same subnet as the device at "internet" or is it on a different Ethernet segment?

The easiest thing to do would be to add the IP of "internet" to the Transparent Mode Skiplist on the 'Misc' tab.

Again, if the client at 192.168.91.42 is not configured to use the Proxy explicitly, it should have obtained the DNS resolution itself - so this situation is confusing.

Cheers - Bob

Hi,

let me draft the complete network (domain-names & host-names are placeholders):

Sophos UTM with ipsec tunnel to site with domain abc.com & def.com, network 10.64.0.0/16

Local Network - 192.168.91.0/24
Client:   client1 (192.168.91.42)
DNS Servers: dc01, dc02
Local domain suffix: xyz.com

Conditional forwarders on dc01 & dc02 for domains abc.com & def.com so we can resolve all FQDNs with abc.com and def.com suffixes.
The same setting on sophos utm is called "Request Routing" where I can define a domain and the related dns servers who know all the hostnames.

On our local clients client in the settings of the network adapter, advanced DNS tab we use "Append these DNS suffixes (in order)":

xyz.com
abc.com
def.com

One of their web servers has the hostname "intranet", his FQDN is then intranet.abc.com  (ip address: 10.64.4.81)

 ...if we would not define these additional suffixes and would "nslookup intranet" the network stack would just try to lookup intranet.xyz.com which doesn't exist. The host "intranet" only exists on the remove network (connected via ipsec tunnel). That's why we have to add those two additional suffixes - but that works quite good (without WebProtection).


I assume that the webprotection proxy does a DNS lookup even in transparent mode. But it has no definition for domain suffixes like windows clients have. This means I can not tell it that there are some additional domain suffixes abc.com and def.com. The sophos utm can not construct a FQDN intranet.abc.com or intranet.def.com - it could only do a DNS lookup if the FQDNs were already constructed. This can be verified on Sophos UTM in Tools->DNS Lookup: intranet is not resolvable but intranet.abc.com is.

>> The easiest thing to do would be to add the IP of "internet" to the Transparent Mode Skiplist on the 'Misc' tab.

Regarding the "skiplist"...there are too many hosts in the remote network that we need to connect to. It's an impossible task of getting the list of all those remote hosts and putting them in a list or definition.

>> Again, if the client at 192.168.91.42 is not configured to use the Proxy explicitly, it should have obtained the DNS resolution itself - so this situation is confusing

The client probably does resolve it and it's capable of doing that. But the webprotection proxy probably tries to re-resolve the hostname from the HTTP request and fails doing that becaue it doesn't have the domain suffixes.