XG Blocking DNS Lookup - DNS Request Timeout Error

Hi,

please post your DNS rule for us to review.

Also where are you running the NSLOOKUP from?

Ian

Hi,

Please see the rule below. I've called it a DNS rule but it basically allows any device in the LAN access the WAN. I know this is not secure but it's for testing at present and I will lock the services and devices down once I can fix this issue.

Match known users is not ticked and the logging is enabled. I have run the nslookup from the DNS server and from a PC connected to the domain.

Thanks for the help again!

Hi Ronak,

We have one ISP. The DNS IP is statically assigned by us. We have 2 entries pointing to our internal DNS servers and one entry pointing to google DNS. Port 5 is for the DMZ which we have not configured yet. The port is configured but it has been assigned a separate subnet address. I was wondering why Port5 was shown in the tcpdump.

Thanks

Lee

Hi Leebtish 

I recommend you to use 8.8.8.8 as a forwarder. If you look at the tcp output request going out on 8.8.8.8 is getting resolved.

01:13:32.637852 Port2, OUT: IP 21*.***.***.***.18273 > 8.8.8.8.53: 20899+ A? iprep3.t.ctmail.com. (37)

01:13:32.647698 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.18273: 20899 2/0/0[|domain]

I believe you are using wrong DNS server or the DNS server used by you doesnot support your ISP IP's

Regards, Ronak.

Hi Ronak,

I've been testing this all day but still no joy. The ISP forwarders we were using on our DNS servers were for the original ISP so I changed them to use the ISP DNS servers that the XG is connected to. I also included 8.8.8.8.

When I ran an nslookup I did not receive timeout errors so I thought I had resolved the issue, but name resolution still wasn't working. For some reason most domain names returned the same IP of 92.242.132.24 whichI don't understand at all.

I changed the DNS entries on the XP to use the same forwarders and 8.8.8.8. but still the same result. I then decided to change the forwarders on the DNS servers to use the XG, (so the route was client > dns server > XG > 8.8.8.8) but no difference.

As soon as I change the default gateway of our DNS servers to the old firewall nslookup results work fine.

I'm going to raise a support call with Sophos as this is becoming too hard. I'm considering contacting our reseller to see if we can return the XG devices as it should not be this difficult to get simple name resolution working through a firewall.

Thanks to everyone on this forum for their suggestions. If Sophos support resolve the issue I will post again.

Thanks

Lee

Hi,

can only confirm the same results as Ronak,

XG is forwarding everything correctly.

But does not get any reply by the DNS. 

Is your WAN IP correct? Is the WAN Interface correct? 

Cheers

Hi,

I think it is time for a network diagram because if you can change the gateway to your old box that means somewhere in the path to the internet there is a box not passing traffic correctly?

ian

Hi Ronak,

Looks like you were on the money :) So I just got off the phone with Sophos support and whilst troubleshooting I changed the forwarder on the DNS server to 8.8.8.8. I had done this before but only as a secondary entry. The primary entry was our ISP DNS. This time I added only 8.8.8.8 and it's working fine.

For some reason our ISP's DNS (Virgin Media Business) does not work which I find odd. Their DNS is returning incorrect IPs for nslookups.

Anyway, thanks very much to the community for the help and the quick responses.

Cheers

Lee

Hi Lee,

Seem to be we are the same problem with XG firewall. I am a newbie of XG Firewall.

Currently, I'm using XG310 (SFOS 17.5.5 MR-5). I have 2 DNS server local running on Windows Server 2016, all the client machine are pointing to that DNS server.

After changing to XG Firewall from the old firewall Kerio Control, client reports me that sometimes they cannot access the website since their machine cannot resolve DNS, waiting for 30 seconds then they can access website normally. This issue did not happen overall, it just happens on some client and seems to be the random client.

On the XG Firewall DNS, I've set 2 DNS server local, it can resolve DNS and work fine.

The issue sometimes still happens at the client side so far. Actually, I didn't know how to finger-out the way to get it fixed.

The old firewall is work normally without this issue. DNS server local are the same config after a change to XG Firewall.

@Lee: Is your problem solved?

Can you show me the DNS config on your DNS server local and XG Firewall also?

Appreciated and thank you.

Jacky

So I recently discovered I'm having the same issue; sometimes certain DNS queries would time out.  I've got the same setup as the others, Windows servers running DNS, using forwarders to well known DNS servers.  What "fixed" it for me was disabling DNSSec on the DNS servers.  

Yeah, We are on the same boat. Actually, this issue really annoying.....

Is it your problem solved? or still, happen?

yeah, we are on the same boat. No hope!....

yeah, we are on the same boat. No hope!....