This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos xg can't resolve own hostname and internal server

Hello all,

I am currently trying to configure Sophos xg to replace my Fritzbox.

From problems with certificates, I have become aware that my DNS resolution for internal hosts and the xg itself is not working.

Currently I have only a test client, which has the xg entered as the default gateway and DNS server.

When accessing blocked websites I always had problems with the certificate and had read somewhere that I should choose the hostname of the firewall as redirection page so that there are no problems with the CN.
Here I found out that I can not make a ping on the name of the XG. Now I added the XG as DNS-HOST, but it still does not work. Also other host, which are meanwhile also registered as DNS host I can not reach via ping.

Does anyone have an idea what I have configured wrong?

Many greetings
Marc

This thread was automatically locked due to age.

Top Replies

LHerzog over 2 years ago +1

the first step would be to check if DNS is allowed on the Zone. An other useful thing is packet capture you can see if and probably why something like DNS is blocked

Parents

0 LHerzog over 2 years ago

the first step would be to check if DNS is allowed on the Zone.

An other useful thing is packet capture

you can see if and probably why something like DNS is blocked
Cancel
Vote Up +1 Vote Down

Cancel
0 initB10r over 2 years ago in reply to LHerzog

DNS is enabled in the zone LAN

Here is the result from the packet capture. Where can I see here if it has been blocked?

Here is the result of nslookup:

nslookup schneckenxg
DNS request timed out.
    timeout was 2 seconds.
Server: UnKnown
Address: 172.16.0.2

Nicht autorisierende Antwort:
DNS request timed out.
    timeout was 2 seconds.
Name:    schneckenxg
Address: 172.16.0.2

172.16.0.2 is the LAN Interface
172.16.3.103 is the client
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 initB10r over 2 years ago in reply to LHerzog

DNS is enabled in the zone LAN

Here is the result from the packet capture. Where can I see here if it has been blocked?

Here is the result of nslookup:

nslookup schneckenxg
DNS request timed out.
    timeout was 2 seconds.
Server: UnKnown
Address: 172.16.0.2

Nicht autorisierende Antwort:
DNS request timed out.
    timeout was 2 seconds.
Name:    schneckenxg
Address: 172.16.0.2

172.16.0.2 is the LAN Interface
172.16.3.103 is the client
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk over 2 years ago in reply to initB10r

Hi,

please try adding you XG into the Network -> DNS -> DNS host entry table.

Ian

XG115W - v20.0.1 MR-1 - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 initB10r over 2 years ago in reply to rfcat_vk

DNS Host was already added:

Any other idea?
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to initB10r

Hi,

Please post a copy of your DNS setup, there appears to be an issue with the XG DNS configuration. Also check the DNS setting on your test device.

Ian

XG115W - v20.0.1 MR-1 - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 initB10r over 2 years ago in reply to rfcat_vk

Hello Ian,

hopefully here are all the information:

Have I forgotten a configuration? I'm currently having a bit of trouble with the configuration. I had administered an asg8 years ago.

Regards
Marc
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to initB10r

Hi,

thank you for all there screenshots.

The XG should be using an external DNS, where you would add the XG as an internal DNS is in the DHCP settings.

Ian

XG115W - v20.0.1 MR-1 - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 initB10r over 2 years ago in reply to rfcat_vk

Hello Ian,

is it not possible to have only the XG as DNS server?

Regards
Marc
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to initB10r

Yes, it is but on the internal side not the external side. You need to provide some external DNS access to resolve lookups.

Ian

XG115W - v20.0.1 MR-1 - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 initB10r over 2 years ago in reply to rfcat_vk

Hello Ian,

thanks for the answer

Doesn't the lookup of external names work automatically via the WAN interface? I am not sure what I need to change.

Sorry for possible stupid questions.

Regards
Marc
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to initB10r

But, you have told the WAN interface to use the internal address of the XG as its lookup.

In the DNS settings change the DNS to use DHCP settings for the WAN interface or used fixed as you have.

I have mine set to use my ISP's DNS IP4 and IPv6, alot of people use 8.8.8.8 or 4.4.4.4 or 1.1.1.1 which are a mix of Google and Cloudflare DNS.

Ian

XG115W - v20.0.1 MR-1 - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 initB10r over 2 years ago in reply to rfcat_vk

Hi Ian,

now I changed DNS 1 to 8.8.8.8 and the dns query configuration

The network configuration on my client looks like this:

   IPv4-Adresse . . . . . . . . . . : 172.16.3.100
   Subnetzmaske . . . . . . . . . . : 255.255.248.0
   Standardgateway . . . . . . . . . : 172.16.0.2 (XG)
   DNS-Server . . . . . . . . . . . : 172.16.0.2(XG)

Unfortunately, it still doesn't work.

Even ipconfig /flushdns on the client does not help.

Regards

Marc
Cancel
Vote Up 0 Vote Down

Cancel