WebProtection can't resolve hostnames without domain suffix

Hi Chris,

Use request routing when you want the UTM to route the DNS queries to an internal DNS server and when you do not want to set up your own DNS server but need a static DNS mapping for a few hosts of your network, you can enter these mappings.

Now, as per the Windows guide, you can use the advanced DNS settings only if you are not using Obtain DNS server address automatically on the General tab. I think the windows KBA here will also be handy for this purpose.

What confuses me here is that which hosts are you trying to access without DNS suffix; external or internal. Alongside, when you do a DNS query does that query reach on UTM, show us the http.log and packetfilter.log for the source IP address.

Finally, if you want the requests to be handled by the UTM as per my first para, make sure the windows system have their Primary DNS set to internal address of the UTM.

Thanks

Hi,

My DNS Setup on the internal network (windows servers & clients):
The internal windows clients use internal Windows DNS servers for lookup (let's call them dc01 & dc02). The forwarders on dc01 & dc02 are set to 8.8.8.8 and 8.8.4.4.
I also have 3 conditional providers. Those are the domains and dns servers of the other company where we connect to with a vpn-tunnel. This is proven to work since years.

On our sophos utm:

The DNS "Forwarders" on the UTM are pointing to our internal Windows DNS servers dc01 & dc02.
In "Request Routing" I also added those 3 external domains and the DNS servers. Basically this should be not necessary since dc01 & dc02 already know how to resolve domains from the external network but I added them just in case I have to change forwarders to external DNS server instead of our internal.

On our windows clients we have extra domain suffixes with those domains of the other company. This means if someone needs to resolve for example "hostxyz" the local DNS on the client adds all domain suffixes in order to this hostname and creates a FQDN. Those FQDNs are then resolvable with our internal DNS and/or the DNS of the other company.

I tried to activate WebProtection in transparent mode on sophos utm and had a look on the live-log. This entry represents a failed DNS lookup:

2017:02:21-20:35:25 sophos-sg210 httpproxy[7945]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.91.42" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2487" request="0xdf377000" url="http://intranet/" referer="" error="Host not found" authtime="0" dnstime="2" cattime="114" avscantime="0" fullreqtime="360" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized".

And this error I get in the browser window:

So even in transparent mode the WebProtection seems to work as a proxy and it seems to resolve hostnames using the defined DNS forwarders.

Chris, is the client at 192.168.91.42 in the same subnet as the device at "internet" or is it on a different Ethernet segment?

The easiest thing to do would be to add the IP of "internet" to the Transparent Mode Skiplist on the 'Misc' tab.

Again, if the client at 192.168.91.42 is not configured to use the Proxy explicitly, it should have obtained the DNS resolution itself - so this situation is confusing.

Cheers - Bob

Hi,

let me draft the complete network (domain-names & host-names are placeholders):

Sophos UTM with ipsec tunnel to site with domain abc.com & def.com, network 10.64.0.0/16

Local Network - 192.168.91.0/24
Client:   client1 (192.168.91.42)
DNS Servers: dc01, dc02
Local domain suffix: xyz.com

Conditional forwarders on dc01 & dc02 for domains abc.com & def.com so we can resolve all FQDNs with abc.com and def.com suffixes.
The same setting on sophos utm is called "Request Routing" where I can define a domain and the related dns servers who know all the hostnames.

On our local clients client in the settings of the network adapter, advanced DNS tab we use "Append these DNS suffixes (in order)":

xyz.com
abc.com
def.com

One of their web servers has the hostname "intranet", his FQDN is then intranet.abc.com  (ip address: 10.64.4.81)

 ...if we would not define these additional suffixes and would "nslookup intranet" the network stack would just try to lookup intranet.xyz.com which doesn't exist. The host "intranet" only exists on the remove network (connected via ipsec tunnel). That's why we have to add those two additional suffixes - but that works quite good (without WebProtection).


I assume that the webprotection proxy does a DNS lookup even in transparent mode. But it has no definition for domain suffixes like windows clients have. This means I can not tell it that there are some additional domain suffixes abc.com and def.com. The sophos utm can not construct a FQDN intranet.abc.com or intranet.def.com - it could only do a DNS lookup if the FQDNs were already constructed. This can be verified on Sophos UTM in Tools->DNS Lookup: intranet is not resolvable but intranet.abc.com is.

>> The easiest thing to do would be to add the IP of "internet" to the Transparent Mode Skiplist on the 'Misc' tab.

Regarding the "skiplist"...there are too many hosts in the remote network that we need to connect to. It's an impossible task of getting the list of all those remote hosts and putting them in a list or definition.

>> Again, if the client at 192.168.91.42 is not configured to use the Proxy explicitly, it should have obtained the DNS resolution itself - so this situation is confusing

The client probably does resolve it and it's capable of doing that. But the webprotection proxy probably tries to re-resolve the hostname from the HTTP request and fails doing that becaue it doesn't have the domain suffixes.

"Regarding the "skiplist"...there are too many hosts in the remote network that we need to connect to. It's an impossible task of getting the list of all those remote hosts and putting them in a list or definition."

In this case, use CIDR notation for the network(s) there.

"I assume that the webprotection proxy does a DNS lookup even in transparent mode."

In Transparent, the client does the DNS lookup.  In Standard, the Proxy does it.  If your client is configured to use the UTM as an explicit proxy, but the UTM is configured in Transparent, the Proxy will handle the request as if it were in Standard mode.  Make sure 'Automatically detect settings' is not selected in 'LAN Settings' in IE.

I bet that last comment resolves your issue, but you might want to consider DNS best practice.

Cheers - Bob

"Regarding the "skiplist"...there are too many hosts in the remote network that we need to connect to. It's an impossible task of getting the list of all those remote hosts and putting them in a list or definition."

In this case, use CIDR notation for the network(s) there.

"I assume that the webprotection proxy does a DNS lookup even in transparent mode."

In Transparent, the client does the DNS lookup.  In Standard, the Proxy does it.  If your client is configured to use the UTM as an explicit proxy, but the UTM is configured in Transparent, the Proxy will handle the request as if it were in Standard mode.  Make sure 'Automatically detect settings' is not selected in 'LAN Settings' in IE.

I bet that last comment resolves your issue, but you might want to consider DNS best practice.

Cheers - Bob