Sophos xg can't resolve own hostname and internal server

Hello all,

I am currently trying to configure Sophos xg to replace my Fritzbox.

From problems with certificates, I have become aware that my DNS resolution for internal hosts and the xg itself is not working.

Currently I have only a test client, which has the xg entered as the default gateway and DNS server.

When accessing blocked websites I always had problems with the certificate and had read somewhere that I should choose the hostname of the firewall as redirection page so that there are no problems with the CN.
Here I found out that I can not make a ping on the name of the XG. Now I added the XG as DNS-HOST, but it still does not work. Also other host, which are meanwhile also registered as DNS host I can not reach via ping.

Does anyone have an idea what I have configured wrong?

Many greetings
Marc



Added TAGs
[edited by: emmosophos at 5:46 PM (GMT -7) on 23 Aug 2021]
Parents
  • the first step would be to check if DNS is allowed on the Zone.

    An other useful thing is packet capture

    you can see if and probably why something like DNS is blocked

  • DNS is enabled in the zone LAN

    Here is the result from the packet capture. Where can I see here if it has been blocked?

    Here is the result of nslookup:

    nslookup schneckenxg
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  172.16.0.2

    Nicht autorisierende Antwort:
    DNS request timed out.
        timeout was 2 seconds.
    Name:    schneckenxg
    Address:  172.16.0.2

    172.16.0.2 is the LAN Interface
    172.16.3.103 is the client

  • Hello Ian,

    is it not possible to have only the XG as DNS server?

    Regards
    Marc

  • Yes,  it is but on the internal side not the external side. You need to provide some external DNS access to resolve lookups.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hello Ian,

    thanks for the answer

    Doesn't the lookup of external names work automatically via the WAN interface? I am not sure what I need to change.

    Sorry for possible stupid questions.

    Regards
    Marc

  • But, you have told the WAN interface to use the internal address of the XG as its lookup.

    In the DNS settings change the DNS to use DHCP settings for the WAN interface or used fixed as you have.

    I have mine set to use my ISP's DNS IP4 and IPv6, alot of people use 8.8.8.8 or 4.4.4.4 or 1.1.1.1 which are a mix of Google and Cloudflare DNS.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi Ian,

    now I changed DNS 1 to 8.8.8.8 and the dns query configuration

    The network configuration on my client looks like this:

       IPv4-Adresse  . . . . . . . . . . : 172.16.3.100
       Subnetzmaske  . . . . . . . . . . : 255.255.248.0
       Standardgateway . . . . . . . . . : 172.16.0.2 (XG)
       DNS-Server  . . . . . . . . . . . : 172.16.0.2(XG)

    Unfortunately, it still doesn't work.

    Even ipconfig /flushdns on the client does not help.

    Regards

    Marc

  • Please remove the 127 address, that is an internal nonevroutable address and should not be on the external interface.

    then allow time for the XG to update its tables.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi Ian,

    I have now removed 127 and waited about 3 hours. Unfortunately without success. Restarting the XG does not work either.

    What I notice is that when I execute the following command on my client, a DNS error occurs:

        netsh interface ipv4 set dnsservers name="Ethernet 2" static 172.16.0.2

        The configured DNS server is incorrect or does not exist.
        
    Any idea?

    Regards

    Marc

  • from your screenshots the XG is now using 8.8.8.8 as primary DNS. It should now be able to resolve names on it's own.

    btw. the 127.0.0.1 should be OK to stay there as second resolver. This would be the only way to resolve names, that are only configured on the XG with static mappings.

    On XG when you go to diagnostic > tools > name lookup

    Select lookup using all configured servers

    can you resolve external FQDN?

  • DNS is enabled in the zone LAN

    Here is the result from the packet capture. Where can I see here if it has been blocked?

    scroll to the right side in that results window. if you see something like violation there, it's blocked. Consumed means, the (DNS-) Packet was for the XG itself and is "consumed", so not forwared to someone else.

Reply Children