This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to Add DNS Host to Allowed Networks for Filtering

Hello,

 

I am trying to use site path routing under web application firewall and use a "DNS Host" entry in the allowed networks list however its not working.  

If I have the dns host entry myhost.duckdns.org it resolves the IP correctly (172.X.X.X) when I hover over it. but when I try to access the site I get this in the log:

2018:02:11-01:18:20 sophos httpd[11890]: [authz_host:error] [pid 11890:tid 4005301104] [client 172.X.X.X:38181] AH01753: access check of 'myhost.duckdns.org' to /favicon.ico failed, reason: unable to get the remote host name, referer: https://sub.mysite.com/
2018:02:11-01:18:20 sophos httpd[11890]: [authz_core:error] [pid 11890:tid 4005301104] [client 172.X.X.X:38181] AH01630: client denied by server configuration: proxy:balancer://0e9f56dedc1c6a43ee0c263a6d1b336b/favicon.ico, referer: https://sub.mysite.com/
2018:02:11-01:18:20 sophos httpd: id="0299" srcip="172.X.X.X" localip="my public ip address" size="220" user="-" host="172.X.X.X" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="407" url="/favicon.ico" server="sub.mysite.com" port="443" query="" referer="https://sub.mysite.com/" cookie="-" set-cookie="-" uid="WoAKXKDSF5y5D4BBABz"
 
 
If I manually put the ip address itself in allowed networks it allows me through fine to my intended site.  What can I do to get the dns host working?  I am unable to use access control by IP since this is for a mobile device and the IP changes often so I was planning to use duckdns to update the IP so Sophos can constantly pick up the change.    


This thread was automatically locked due to age.
  • What version, Mark - 9.506?

    Cheers - Bob
    PS Moving this from General Discussion to Web Server Security.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi folks!

     

    I can confirm this with version 9.508.

     

    Setting access control in Site Path Routing from Any to specific DNS hosts follwing message appears in the log: AH01630: client denied by server configuration .

    Disabling access control or set allowed networks back to any evertything works fine. And yes, current IP-adress of the device connecting to the WAF matches to the DNS record.

     

    It's a guess, but maybe the WAF does a reverse lookup? And if there is no match access is blocked?

     

    My scenario: Mobile phone with dyndns client. Should connect to my on premise MDM solution. DNS object with its DynDNS A-Record created (as I said IP matches). In the log there is not only the IP adress logged but also a DNS name. This DNS name is from my telephone company, so WAF does a reverse Lookup. RDNS doesn't match configured DNS host -> block? Then it would be nice if this could be disabled. Or it is bug, which wouldn't be surprising either.

  • Yes, WAF is doing a reverse lookup for DNS host objects. From the online help:

    Note – When a DNS host object is configured for access control, for every HTTP request a DNS reverse lookup is made for the client IP address. If the DNS reverse lookup succeeds, the resulting hostname is compared to the hostname of the configured DNS host object and a decision can be made whether the HTTP request is allowed or denied for that DNS host object.

  • Oh my... looked into the online help and overseen it. Thanks for clarification. So it's completely hopeless to get an disable option for this :(

  • Hello,

     

    I need a way to bypass the reverseDNS Check.... :-( Is it possible to change some config entrys???

     

    Why Sophos leave this option not at the customer level to decide if a reverse lookup should be used.... :(

     

    Need to add dyndns clients to waf access control.... hmmm :(

     

     

     

  • I think this is a bug then, ewadie.

    The UTM is trying to do an rDNS lookup using the 'Hostname' in the network object instead of the 'address'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    I think this is a bug then, ewadie.

    The UTM is trying to do an rDNS lookup using the 'Hostname' in the network object instead of the 'address'.

    The reverse lookup for DNS host objects works as implemented and documented. But from the comments in this thread I tend to agree that it might not be the ideal behavior for all scenarios. I will bring this up but I can't make any promises.

  • thank you, would be very nice if the customer can choose it if also a reverse dns of the ip is required:

    funny is that my dynDNS Host objects are working for "Bad Reputation Skip":

     

    And also for User Portal Access..... :

    There is no reverseDNS used

  • Clearly, it's not working correctly in WAF, and the log above demonstrates that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA