Use local File Hosts to test new website wont works

Hi,

 

when I try to set in my local file hosts a new IP of an FQDN to check a reachability of a new website I see that my pc resolve correctly the new IP and the browser debugger point at the new IP but the connection from XG point at the old IP. 

 

Seems that the XG intercept the browser 443 connection and then change the destination address to the old IP as the public DNS servers has the old record.

I've try to do an web exception and later a dedicated policy with source LAN source IP my subnet, Dest WAN dest FQDN *.domain.com Services Any and no security eg IPs, Malware, HTTPS decrypt.. but it didn't solve.

 

Have you any idea about this strange things?

XG330 (SFOS 17.5.8 MR-8) 

 

Thank you

  • I forgot an important point: if I do the a static DNS entry on the XG same of the entry in the hosts the connection goes to the correct website (new IP)

  • Hi  

    Are you using caching on the XG at all?

    If you are using the web proxy, you can try create a plain network rule above all other rules with the source IP as your test machine.  Do not select any AV scanning, web policies, application policies, etc.  Ensure to select NAT policy and gateway route.

    You can restart the DNS service that will clear its cache by running command: service dnsd:restart -ds nosync from the "advance console" section of the XG.

    Thanks!

  • In reply to KingChris:

    Hi, 

     

    About caching if you mean this https://community.sophos.com/kb/en-us/134390 no. I don't.

    I did a plain network rule above as you describe and the DNS service restart but they didn't solve. 

     

    Any other things?

     

    Thank you

  • In reply to Ste:

    Hi  

    What DNS IPs are configured in the XG firewall?

    Please go to Diagnostics >> Name Lookup and check the DNS resolution of the domain with each IP and share the observation.

  • In reply to Keyur:

    I did and all of them resolv hwith the old IP: 83.212.109.23

     

    What i mean is that if I set localy on PC Hosts file the record: 3.124.132.43 proxy-fenix.pilot.eduteams.org the pc resolve with this new IP and i See log on the log viewer:

     

    BUT: connection from XG starto to ip: 83.212.109.23

  • In reply to Ste:

    Hi  

    As you said, you added "PC Hosts file the record: 3.124.132.43 proxy-fenix.pilot.eduteams.org" which is a manual entry to the PC host file and it will always resolve the IP you have added but I have checked over MX toolbox and it is resolving 83.212.109.23 for proxy-fenix.pilot.eduteams.org, I have checked with global DNS and it is same. This is not an issue with the Sophos XG, DNS entry for URL is or CNAME record for URL haproxy-fenix.pilot.eduteams.org is 83.212.109.23, please check the attached screenshot.

    You can add DNS host entry in the Sophos XG- https://community.sophos.com/kb/en-us/123566

  • In reply to Keyur:

    I add on the hosts file on the PC.

    then I done a test doing the same DNS host entry on the Sopohs XG and it solved the problem. But this cannot be a solution. There is something in the XG software that is not working properly

  • In reply to Ste:

    Hi  

    Sophos XG will forward the DNS query to the configured DNS IP in the Sophos XG firewall DNS configuration and it will show the response received from those DNS servers.

    I have shared the screenshot of MXtoolbox which is a global tool where there is no intervention of Sophos XG firewall. URLs public CNAME record IP is 83.212.109.23. Sophos XG is not acting as DNS server, it just shows the result provided by the DNS IP configured.

  • In reply to Keyur:

    The DNS query of the pc are not sent to XG! are resolved locally. The packet sent to XG has DST addr 3.124.132.43 but then the XG send the message to 83.212.109.23.

    This is the problem. 

    Can you please understand?

    Thank

  • In reply to Ste:

    Hi  

    Could you please verify the pharming protection? 

    Please navigate to Web >> General Settings >> Malware and content scanning >> Advanced settings >> Enable pharming protection

     
  • In reply to Keyur:

    Disabling the pharming protection everything works as expected. 

    Good to know. We have found the cause of the issue.

     

    Thank you for your support.