Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall blocking root DNS servers as Psiphon Proxy when using Unbound w/ AdGuard Home DNS

alan weir

When my at-home DNS server which is running running Unbound with Adguard Home DNS contacts the root DNS servers, the root servers are detected as psiphon proxy by the firewall. I do not have any Psiphon proxy app on any of my devices. Is this a false detection?

I have followed some tutorials on how to block proxies and tunnels, and Qname multiple DNS, ect. I have Psiphon Proxy as a blocked app in my application filter.

I am not sure what is causing this...here is a screenshot showing the Unbound contacting the root servers, and the root servers responding, and are blocked. The source IP address is from country Brunei.



This thread was automatically locked due to age.
  • 0

    it is possibly correct, because an IP check shows it as a VPN provider.

    Ian

    XGS118 - v21.5.1 MR-1

    XG115 converted to software licence v21.5.0

    If a post solves your question please use the 'Verify Answer' button.

    • 0 in reply to rfcat_vk

      Ok, that is bizarre. I investigated some more and it seems that 202.93.214.163 is actually *NOT* one of the 13 root name servers that can be found on the internet. I'll have to do some more digging around. 

      Even stranger, before I switched to using the XG firewall I was using the UTM with the same setup, and the root servers were being detected as C&C servers and blocked by the Advanced Threat Detection. I am using TLS decryption on my DNS server which is running Ubuntu with Unbound configured, and it seems that TLS/SSL inspection is necessary to detect this Psiphon proxy/tunnel app.

      I might do a reinstall soon and just use a different distro that has less call-home features in it, like CentOS or plain old Debian. I also am alarmed that these Linux distros use plain HTTP update mirrors instead of HTTPS, where a MITM could occur during an update.

      I could go with Ubuntu server instead but I really want to avoid using SSH if I can....

      • 0 in reply to alan weir

        His Alan,

        SSL/TLS will not detect DNS because DNS uses UDP 53 and SSL/TLS at this stage cannot scan UDP.

        Ian

        XGS118 - v21.5.1 MR-1

        XG115 converted to software licence v21.5.0

        If a post solves your question please use the 'Verify Answer' button.