Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 23 replies
  • Subscribers 47 subscribers
  • Views 28928 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Blocking DNS Lookup - DNS Request Timeout Error

Leebtish

Hi all,

I recently tried to point our DNS servers to our XG230 but when I run an nslookup I'm receiving the error "dns request timed out. timeout was 2 seconds".

Our setup is pretty simple. We have 2 x Windows 2012 DNS servers. Each server points to the other as the primary and then itself as the secondary. The servers are also configure to use forwarders to the local ISP. This has worked well for a long time. As soon as we point the servers to the old firewall it's fine so the problem has to be with the XG somewhere.

I have set up a network rule for the DNS servers and the logs show that traffic on UDP port 53 is being allowed to the ISP so it looks ok to me. I just can't figure out why NSLOOKUPS are timing out. The DNS settings on the XG are set to point to the internal DNS servers which is working fine.

I have read an article for the UTM which suggests that DNS should be pointed to the UTM with DNS request routing configured but we would prefer to keep our settings as they are for now.

Any suggestions?

Thanks

Lee



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    please post your DNS rule for us to review.

    Also where are you running the NSLOOKUP from?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi,

    Please see the rule below. I've called it a DNS rule but it basically allows any device in the LAN access the WAN. I know this is not secure but it's for testing at present and I will lock the services and devices down once I can fix this issue.

    Match known users is not ticked and the logging is enabled. I have run the nslookup from the DNS server and from a PC connected to the domain.

    Thanks for the help again!

  • 0 in reply to Leebtish

    Hi,

    can only confirm the same results as Ronak,

    XG is forwarding everything correctly.

    But does not get any reply by the DNS. 

    Is your WAN IP correct? Is the WAN Interface correct? 

    Cheers

    __________________________________________________________________________________________________________________

  • 0 in reply to Leebtish

    Hi,

    I think it is time for a network diagram because if you can change the gateway to your old box that means somewhere in the path to the internet there is a box not passing traffic correctly?

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ronak Sheth

    Hi Ronak,

    Looks like you were on the money :) So I just got off the phone with Sophos support and whilst troubleshooting I changed the forwarder on the DNS server to 8.8.8.8. I had done this before but only as a secondary entry. The primary entry was our ISP DNS. This time I added only 8.8.8.8 and it's working fine.

    For some reason our ISP's DNS (Virgin Media Business) does not work which I find odd. Their DNS is returning incorrect IPs for nslookups.

    Anyway, thanks very much to the community for the help and the quick responses.

    Cheers

    Lee

  • 0 in reply to Leebtish

    Hi Lee,

    Seem to be we are the same problem with XG firewall. I am a newbie of XG Firewall.

    Currently, I'm using XG310 (SFOS 17.5.5 MR-5). I have 2 DNS server local running on Windows Server 2016, all the client machine are pointing to that DNS server.

    After changing to XG Firewall from the old firewall Kerio Control, client reports me that sometimes they cannot access the website since their machine cannot resolve DNS, waiting for 30 seconds then they can access website normally. This issue did not happen overall, it just happens on some client and seems to be the random client.

    On the XG Firewall DNS, I've set 2 DNS server local, it can resolve DNS and work fine.

    The issue sometimes still happens at the client side so far. Actually, I didn't know how to finger-out the way to get it fixed.

    The old firewall is work normally without this issue. DNS server local are the same config after a change to XG Firewall.

    @Lee: Is your problem solved?

    Can you show me the DNS config on your DNS server local and XG Firewall also?

    Appreciated and thank you.

    Jacky

  • 0 in reply to Hung Ho

    So I recently discovered I'm having the same issue; sometimes certain DNS queries would time out.  I've got the same setup as the others, Windows servers running DNS, using forwarders to well known DNS servers.  What "fixed" it for me was disabling DNSSec on the DNS servers.  

  • 0 in reply to Bill Roland

    Yeah, We are on the same boat. Actually, this issue really annoying.....

    Is it your problem solved? or still, happen?

  • 0 in reply to Bill Roland

    yeah, we are on the same boat. No hope!....

  • 0 in reply to Hung Ho

    I did a little experimentation today on a hunch that *seems* to have resolved it, but it is too early to be sure.  I created a firewall rule for just the DNS servers, LAN to WAN, and only the DNS service.  I set Intrusion Protection to NONE.

    After doing that, DNS resolution that was failing consistently immediately began working. 

    I should add that the IPS log did not show any denials related to DNS but I have learned that doesn't necessarily mean anything.  

  • 0 in reply to Bill Roland

    Bill, have you had more issues with this DNS problem?

     

    I've created the rule and changed my DNS servers. Apparently it is all ok now.

    Before it was awful.

    XG85w_AM02_SFOS 17.5.9 MR-9# nslookup
    > server
    Default server: 127.0.0.1
    Address: 127.0.0.1#53

    > ebay.com

    Domain Name Server# 127.0.0.1
    Domain Name # (null)
    Resolved Address 1# 66.135.195.175
    Resolved Address 2# 66.135.196.249
    Total query time # 3050.35 msec

    > ebay.de

    Domain Name # (null)
    Resolved Address 1# 66.135.196.249
    Resolved Address 2# 66.135.195.175
    Total query time # 3119.64 msec

     

    I'm still not sure if the rule is the correct solution.

  • 0 in reply to Bill Roland

    I have read the best practices as described on the board and really the only thing we're not doing that is recommended is to deliver the OpenDNS servers as secondary and tertiary DNS servers through DHCP prepaidgiftbalance

Reply Children
Unfiltered HTML