Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Blocking DNS Lookup - DNS Request Timeout Error

Hi all,

I recently tried to point our DNS servers to our XG230 but when I run an nslookup I'm receiving the error "dns request timed out. timeout was 2 seconds".

Our setup is pretty simple. We have 2 x Windows 2012 DNS servers. Each server points to the other as the primary and then itself as the secondary. The servers are also configure to use forwarders to the local ISP. This has worked well for a long time. As soon as we point the servers to the old firewall it's fine so the problem has to be with the XG somewhere.

I have set up a network rule for the DNS servers and the logs show that traffic on UDP port 53 is being allowed to the ISP so it looks ok to me. I just can't figure out why NSLOOKUPS are timing out. The DNS settings on the XG are set to point to the internal DNS servers which is working fine.

I have read an article for the UTM which suggests that DNS should be pointed to the UTM with DNS request routing configured but we would prefer to keep our settings as they are for now.

Any suggestions?

Thanks

Lee



This thread was automatically locked due to age.
Parents
  • Hi,

    please post your DNS rule for us to review.

    Also where are you running the NSLOOKUP from?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    Please see the rule below. I've called it a DNS rule but it basically allows any device in the LAN access the WAN. I know this is not secure but it's for testing at present and I will lock the services and devices down once I can fix this issue.

    Match known users is not ticked and the logging is enabled. I have run the nslookup from the DNS server and from a PC connected to the domain.

    Thanks for the help again!

  • Hi Ronak,

    We have one ISP. The DNS IP is statically assigned by us. We have 2 entries pointing to our internal DNS servers and one entry pointing to google DNS. Port 5 is for the DMZ which we have not configured yet. The port is configured but it has been assigned a separate subnet address. I was wondering why Port5 was shown in the tcpdump.

    Thanks

    Lee

  • Hi  

    I recommend you to use 8.8.8.8 as a forwarder. If you look at the tcp output request going out on 8.8.8.8 is getting resolved.

     

    01:13:32.637852 Port2, OUT: IP 21*.***.***.***.18273 > 8.8.8.8.53: 20899+ A? iprep3.t.ctmail.com. (37)

    01:13:32.647698 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.18273: 20899 2/0/0[|domain]

     

    I believe you are using wrong DNS server or the DNS server used by you doesnot support your ISP IP's

     

    Regards, Ronak.

  • Hi Ronak,

    I've been testing this all day but still no joy. The ISP forwarders we were using on our DNS servers were for the original ISP so I changed them to use the ISP DNS servers that the XG is connected to. I also included 8.8.8.8.

    When I ran an nslookup I did not receive timeout errors so I thought I had resolved the issue, but name resolution still wasn't working. For some reason most domain names returned the same IP of 92.242.132.24 whichI don't understand at all.

    I changed the DNS entries on the XP to use the same forwarders and 8.8.8.8. but still the same result. I then decided to change the forwarders on the DNS servers to use the XG, (so the route was client > dns server > XG > 8.8.8.8) but no difference.

    As soon as I change the default gateway of our DNS servers to the old firewall nslookup results work fine.

    I'm going to raise a support call with Sophos as this is becoming too hard. I'm considering contacting our reseller to see if we can return the XG devices as it should not be this difficult to get simple name resolution working through a firewall.

    Thanks to everyone on this forum for their suggestions. If Sophos support resolve the issue I will post again.

    Thanks

    Lee

  • Hi,

    can only confirm the same results as Ronak,

    XG is forwarding everything correctly.

    But does not get any reply by the DNS. 

    Is your WAN IP correct? Is the WAN Interface correct? 

    Cheers

    __________________________________________________________________________________________________________________

  • Hi,

    I think it is time for a network diagram because if you can change the gateway to your old box that means somewhere in the path to the internet there is a box not passing traffic correctly?

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ronak,

    Looks like you were on the money :) So I just got off the phone with Sophos support and whilst troubleshooting I changed the forwarder on the DNS server to 8.8.8.8. I had done this before but only as a secondary entry. The primary entry was our ISP DNS. This time I added only 8.8.8.8 and it's working fine.

    For some reason our ISP's DNS (Virgin Media Business) does not work which I find odd. Their DNS is returning incorrect IPs for nslookups.

    Anyway, thanks very much to the community for the help and the quick responses.

    Cheers

    Lee

  • Hi Lee,

    Seem to be we are the same problem with XG firewall. I am a newbie of XG Firewall.

    Currently, I'm using XG310 (SFOS 17.5.5 MR-5). I have 2 DNS server local running on Windows Server 2016, all the client machine are pointing to that DNS server.

    After changing to XG Firewall from the old firewall Kerio Control, client reports me that sometimes they cannot access the website since their machine cannot resolve DNS, waiting for 30 seconds then they can access website normally. This issue did not happen overall, it just happens on some client and seems to be the random client.

    On the XG Firewall DNS, I've set 2 DNS server local, it can resolve DNS and work fine.

    The issue sometimes still happens at the client side so far. Actually, I didn't know how to finger-out the way to get it fixed.

    The old firewall is work normally without this issue. DNS server local are the same config after a change to XG Firewall.

    @Lee: Is your problem solved?

    Can you show me the DNS config on your DNS server local and XG Firewall also?

    Appreciated and thank you.

    Jacky

  • So I recently discovered I'm having the same issue; sometimes certain DNS queries would time out.  I've got the same setup as the others, Windows servers running DNS, using forwarders to well known DNS servers.  What "fixed" it for me was disabling DNSSec on the DNS servers.  

  • Yeah, We are on the same boat. Actually, this issue really annoying.....

    Is it your problem solved? or still, happen?

  • yeah, we are on the same boat. No hope!....

Reply Children
No Data