Sophos xg can't resolve own hostname and internal server

Hello all,

I am currently trying to configure Sophos xg to replace my Fritzbox.

From problems with certificates, I have become aware that my DNS resolution for internal hosts and the xg itself is not working.

Currently I have only a test client, which has the xg entered as the default gateway and DNS server.

When accessing blocked websites I always had problems with the certificate and had read somewhere that I should choose the hostname of the firewall as redirection page so that there are no problems with the CN.
Here I found out that I can not make a ping on the name of the XG. Now I added the XG as DNS-HOST, but it still does not work. Also other host, which are meanwhile also registered as DNS host I can not reach via ping.

Does anyone have an idea what I have configured wrong?

Many greetings
Marc



Added TAGs
[edited by: emmosophos at 5:46 PM (GMT -7) on 23 Aug 2021]
Parents
  • the first step would be to check if DNS is allowed on the Zone.

    An other useful thing is packet capture

    you can see if and probably why something like DNS is blocked

  • DNS is enabled in the zone LAN

    Here is the result from the packet capture. Where can I see here if it has been blocked?

    Here is the result of nslookup:

    nslookup schneckenxg
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  172.16.0.2

    Nicht autorisierende Antwort:
    DNS request timed out.
        timeout was 2 seconds.
    Name:    schneckenxg
    Address:  172.16.0.2

    172.16.0.2 is the LAN Interface
    172.16.3.103 is the client

  • Hi Ian,

    now I changed DNS 1 to 8.8.8.8 and the dns query configuration

    The network configuration on my client looks like this:

       IPv4-Adresse  . . . . . . . . . . : 172.16.3.100
       Subnetzmaske  . . . . . . . . . . : 255.255.248.0
       Standardgateway . . . . . . . . . : 172.16.0.2 (XG)
       DNS-Server  . . . . . . . . . . . : 172.16.0.2(XG)

    Unfortunately, it still doesn't work.

    Even ipconfig /flushdns on the client does not help.

    Regards

    Marc

  • Please remove the 127 address, that is an internal nonevroutable address and should not be on the external interface.

    then allow time for the XG to update its tables.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi Ian,

    I have now removed 127 and waited about 3 hours. Unfortunately without success. Restarting the XG does not work either.

    What I notice is that when I execute the following command on my client, a DNS error occurs:

        netsh interface ipv4 set dnsservers name="Ethernet 2" static 172.16.0.2

        The configured DNS server is incorrect or does not exist.
        
    Any idea?

    Regards

    Marc

  • from your screenshots the XG is now using 8.8.8.8 as primary DNS. It should now be able to resolve names on it's own.

    btw. the 127.0.0.1 should be OK to stay there as second resolver. This would be the only way to resolve names, that are only configured on the XG with static mappings.

    On XG when you go to diagnostic > tools > name lookup

    Select lookup using all configured servers

    can you resolve external FQDN?

  • DNS is enabled in the zone LAN

    Here is the result from the packet capture. Where can I see here if it has been blocked?

    scroll to the right side in that results window. if you see something like violation there, it's blocked. Consumed means, the (DNS-) Packet was for the XG itself and is "consumed", so not forwared to someone else.

  • I turned the packet capture on again and pinged the name of the XG. Here is the result:

    violated I can' t find but some consumed

  • and can the lan machines resolve external DNS, too?

    In the screenshots you posted, you use something like

    have you tried using a FQDN like schneckenXG.mydomain.local -> 172.16.0.2

    Packet Capture looks good.

  • These are static DNS HOSTS to test a host other than just the XG.

    I can ping other external hosts. Unfortunately, an attempt with an FQDN "schneckenXG.schneckenhaus.local" did not help either:

    "schneckenhaus.local" is defined in my dhcp-Server:

    Any idea?

  • btw. the 127.0.0.1 should be OK to stay there as second resolver. This would be the only way to resolve names, that are only configured on the XG with static mappings.

    This is not correct, if you are using the XG as your internal DNS. The external FQDN is different to the internal FQDN and there appears to be a firewall rule allowing LAN devices totally to the external DNS and not use the internal DNS looking at the PCAP result.

    There is no real reason to allow users to use external DNS when you have better security using the XG DNS, that is one less exposure point.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
Reply
  • btw. the 127.0.0.1 should be OK to stay there as second resolver. This would be the only way to resolve names, that are only configured on the XG with static mappings.

    This is not correct, if you are using the XG as your internal DNS. The external FQDN is different to the internal FQDN and there appears to be a firewall rule allowing LAN devices totally to the external DNS and not use the internal DNS looking at the PCAP result.

    There is no real reason to allow users to use external DNS when you have better security using the XG DNS, that is one less exposure point.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
Children
  • I am really clueless. Is there a possibility for users of a home licence to open a case?

  • Sorry, no you must rely on the forum members for support.

    I use the internal DNS settings to access my XG GUI otherwise I receive security errors and fail to connect.

    I do not add the .local to my devices, just the name in the DNS and DHCP assignments.

    The XG uses external DNS addresses and the my internal devices use the XG internal DNS for each network.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I do not add the .local to my devices, just the name in the DNS and DHCP assignments.

    This is exactly how it should work here. The attempt with *.local was only a test.

    Is there still a switch somewhere where I have to activate the internal DNS server of the XG?

    What is interesting for me is the error message from Windows when I statically enter the DNS via commandline:

        netsh interface ipv4 set dnsservers name="Ethernet 2" static 172.16.0.2
        The configured DNS server is incorrect or does not exist.

    Regards
    Marc

  • No, there is no switch other than adding the address in the dhcp settings. I assume Ethernet 2 is the second Nic on the pc. If you are using the dhcp function the dns should be assigned by the dhcp server.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I don't think it makes any difference whether the DNS server is assigned statically or via DHCP. Only the DNS suffix is different. The question is why Windows notices that the DNS server is wrong.

    Setup the ipv4 to DHCP
    C:\Windows\system32>netsh interface ipv4 set address name="Ethernet 2" source=dhcp
    C:\Windows\system32>netsh interface ipv4 set dnsservers name="Ethernet 2" source=dhcp
    C:\Windows\system32>ipconfig /all
    ...
    Ethernet-Adapter Ethernet 2:

       Verbindungsspezifisches DNS-Suffix: schneckenhaus.local
       Beschreibung. . . . . . . . . . . : Dell GigabitEthernet
       Physische Adresse . . . . . . . . : 34-48-ED-B9-1E-F9
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 172.16.3.100(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.248.0
       Lease erhalten. . . . . . . . . . : Dienstag, 24. August 2021 15:53:40
       Lease läuft ab. . . . . . . . . . : Mittwoch, 25. August 2021 15:53:40
       Standardgateway . . . . . . . . . : 172.16.0.2
       DHCP-Server . . . . . . . . . . . : 172.16.0.2
       DNS-Server  . . . . . . . . . . . : 172.16.0.2
       NetBIOS über TCP/IP . . . . . . . : Aktiviert
    ...

    Setup the ipv4 to static
    C:\Windows\system32>netsh interface ipv4 set address name="Ethernet 2" static 172.16.3.100 255.255.248.0 172.16.0.2
    C:\Windows\system32>netsh interface ipv4 set dnsservers name="Ethernet 2" static 172.16.0.2
            The configured DNS server is incorrect or does not exist.
    C:\Windows\system32>ipconfig /all
    ...
    Ethernet-Adapter Ethernet 2:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Dell GigabitEthernet
       Physische Adresse . . . . . . . . : 34-48-ED-B9-1E-F9
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 172.16.3.100(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.248.0
       Standardgateway . . . . . . . . . : 172.16.0.2
       DNS-Server  . . . . . . . . . . . : 172.16.0.2
       NetBIOS über TCP/IP . . . . . . . : Aktiviert
    ...

    In any case, no ping to a DNS host works in both variants.
    If no one has any more ideas, I'll perform a factory reset and hope that this will solve the problem.

  • Hi Marc,

    I don't have a problem with windows 10 latest build and the DNS assignment using the XG DHCP server. On least experiment trying putting the PC in the same 172.16.0 address range.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • It is really frustrating, I have now completely reinstalled the XG cleanly.
    As a summary, the following was output at the end:

     

    	Basic settings
    	Hostname: schneckenxg
    	Time zone: Europe/Berlin
    	 
    	Network settings
    	Internet connection: DHCP on Port2
    	Local network: Port1
    	IP: 172.16.0.2/255.255.248.0
    	DHCP enabled
    	 
    	#Default_Network_Policy has been created with:
    	Scan HTTP: Disable
    	Detect zero-day threats with Sandstorm: Disable
    	Web policy: -
    	Intrusion prevention: -
    	
    	Created linked NAT rule "#NAT_Default_Network_Policy" with source translated to MASQ.
    	 
    	Notifications and backups:
    	.....
    



    After that I just set "AdminConsole and end-user interaction" to "Use ... hostname":




    And added the DNS HOST for the XG:



    These are now the DNS settings:



    The 2nd IP in the settings is now my Fritzbox, as the DSL modem is not yet connected.

    I have now given my client the IP 172.16.0.7:

    Ethernet-Adapter Ethernet 2:
    
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Dell GigabitEthernet
       Physische Adresse . . . . . . . . : 34-48-ED-B9-1E-F9
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 172.16.0.7(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.248.0
       Standardgateway . . . . . . . . . : 172.16.0.2
       DNS-Server  . . . . . . . . . . . : 172.16.0.2
       NetBIOS über TCP/IP . . . . . . . : Aktiviert


    Still no ping works on the hostname of the XG.

    I have checked the zone. DNS is allowed there:


    Tracert from the client to the XG returns the following result:
    C:\Users\marc>tracert schneckenxg
    Der Zielname schneckenxg konnte nicht aufgelöst werden.
    The target name schneckenxg could not be resolved.



    nslookup from the client to the XG returns the following result.
    C:\Users\marc>nslookup schneckenxg
    Server:  schneckenxg
    Address:  172.16.0.2
    
    Nicht autorisierende Antwort:
    Non-authorising response:
    DNS request timed out.
        timeout was 2 seconds.
    Name:    schneckenxg
    Address:  172.16.0.2


    Ping from the client to the XG returns the following result:
    C:\Users\marc>ping schneckenxg
    Ping-Anforderung konnte Host "schneckenxg" nicht finden. Überprüfen Sie den Namen, und versuchen Sie es erneut.
    Ping request could not find host "schneckenxg". Check the name and try again.


    Tracert from client the google.com returns the following result:
    C:\Users\marc>tracert google.com
    
    Routenverfolgung zu google.com [66.102.1.139]
    über maximal 30 Hops:
    
      1    <1 ms     3 ms    <1 ms  schneckenxg [172.16.0.2]
      2     2 ms     5 ms     2 ms  fritz.box [172.16.0.1]
      3     9 ms     9 ms    13 ms  dus1901aihr001.versatel.de [62.214.63.82]
      4     7 ms     7 ms     8 ms  62.214.36.97
      5    12 ms    12 ms    12 ms  62.214.32.33
      6     *        *        *     Zeitüberschreitung der Anforderung.
      7    25 ms    21 ms    19 ms  108.170.251.144
      8    20 ms    20 ms    20 ms  209.85.252.77
      9    24 ms    24 ms    23 ms  66.249.95.226
     10    23 ms    23 ms    49 ms  216.239.56.27
     11    24 ms    24 ms    23 ms  209.85.242.47
     12  ^C


    nslookup from client to the google.com delivers the following result
    C:\Users\marc>nslookup google.com
    Server:  schneckenxg
    Address:  172.16.0.2
    
    Nicht autorisierende Antwort:
    Non-authorising response:
    DNS request timed out.
        timeout was 2 seconds.
    Name:    google.com
    Addresses:  66.102.1.139
              66.102.1.100
              66.102.1.101
              66.102.1.102
              66.102.1.113
              66.102.1.138


    Ping from client the google.com delivers the following result:

    C:\Users\marc>ping google.com
    
    Ping wird ausgeführt für google.com [66.102.1.139] mit 32 Bytes Daten:
    Antwort von 66.102.1.139: Bytes=32 Zeit=23ms TTL=106
    Antwort von 66.102.1.139: Bytes=32 Zeit=23ms TTL=106
    Antwort von 66.102.1.139: Bytes=32 Zeit=24ms TTL=106
    Antwort von 66.102.1.139: Bytes=32 Zeit=22ms TTL=106
    
    Ping-Statistik für 66.102.1.139:
        Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
        (0% Verlust),
    Ca. Zeitangaben in Millisek.:
        Minimum = 22ms, Maximum = 24ms, Mittelwert = 23ms

    I am completely confused. There must be something missing in the configuration.

    Regards
    Marc

  • Change your DNS settings to use either DHCP or PPPoE and try again.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I have now switched off DHCP on the XG and switched it on on the Fritzbox.

    DNS is now also set to DHCP. But unfortunately without any success

  • There was no mention of another router between you and your ISP.

    DHCP on the XG is for it to receive an IP address on its WAN interface and other details from the ISP.

    Please try with the Fritzbox in bridge mode and DHCP enabled on the WAN interface on the XG.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.