Sophos Central customers have reported issues preventing successful installation, live terminal and device list access issues in the EU-CENTRAL-1 region For more info refer to KBA-000041338 for the latest updates.

Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall FQDN Subdomain learning different cache TTL issues with Windows DNS Server

LHerzog

Hi,

this issue is listed as resolved for 19.0.2

NC-111476 FQDN Subdomain learning isn't working in case of non-SFOS DNS server set for client.

We're on 19.5.2

We have a server that downloads files once per day from a FQDN like files.downloadserver.de

The server uses a Windows DNS server as resolver. The Windows DNS server uses only the XG as DNS forwarder.

We have a firewall rule allowing *.downloadserver.de

At the time, the server want's to download the file, the FQDN resolve list on the firewall is empty because of the TTL of the DNS record.

The Windows DNS Server at this time may still have this host resolved in cache (confirmed it) and can send the IP to the requesting internal server without resolving the FQDN host again through the firewall.

The internal server access to the FQDN is then blocked.

The command on SFOS CLI shows the reason:

/sbin/ipset test hostset fqdn,586,0,123.234.123.234 (dummy ip)
HOSTID=586,TYPE=fqdn
        123.234.123.234 is NOT in set hostset.

When the Windows DNS server cache is empty and the firewall FQDN reolver is empty, too, the next server access will work, because the windows DNS Server needs to resolve the FQDN through the firewall.

I understand that. What I don't understand is why the TTL of the DNS cached differs on firewall cache and the Windows DNS Server cache.

While watching it, I found the DNS cached resolved host had a TTL of 2 minutes. When it was timed out after waiting 2 minutes , it was still in the cache of the firewall. I don't understand why. Should'nt they time out after the same time?

.

btw, what is the default value of IP eviction in 19.5.2 because we have set it to enabled in the past due to issues with Sophos Wildcard FQDN -> NC-106986
console> show fqdn-host
cache-ttl:       dns-reply-ttl
idle-timeout:    default
learn-subdomains: enable
IP eviction:      enable

Wildcard and multiple IP address FQDN firewall rules failing sporadically

When using Wildcard or Multiple IP address FQDN hosts in firewall rules, it might occur that they are properly resolved to the corresponding IP addresses on the Sophos Firewall GUI, but the corresponding traffic is dropped. This behavior applies to Sophos Firewall 18.5.4 MR4, 19.0 GA and 19.0.1 MR1.

Enable IP-eviction on SFOS . Once it is enabled , on re-learning of FQDN/wildcard FQDN will solve the problem.

btw. that KB is helpful support.sophos.com/.../KB-000041593



This thread was automatically locked due to age.
  • 0

    console> show fqdn-host
    cache-ttl:       dns-reply-ttl
    idle-timeout:    default
    learn-subdomains: enable
    IP eviction:      disable
    console>

    What is the DNS-TTL value send from upstream DNS-Server for this host?

    We run into a similar problem last week with a host using XGS as DNS (theoretical). Seems the browser use its own "secure DNS".
    After blocking this, the FQDN connection matches again.

    Would you send me FQDN host via PM?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

    • 0 in reply to dirkkotte

      sent it to you via PM.

      thanks for the output of IP eviction:      disable - I disabled it on our machine again.

      does anyone know how to view the content of the DNS cache on XG firewall?

      I want to extract the TTL of the learnt FQDN.

      fqdnd log debug only shows me the TTL at the time when the host is resolved by someone.

      DEBUG     Jul 03 12:36:13Z [4155425280]: addOrUpdateFQDNCache:Cache updated for Domain= files.downloadserver.de, HostID=586, SubsystemID=5, Total IPs=1, Responce TTL=299, new TTL=301

      I notice, it is longer cached than the TTL is valid , which is not bad in general. Waiting for the logline:  OPCODE: delete, IPs:123.234.123.234

      • 0 in reply to LHerzog

        The IP eviction is normally disabled, this means that the IPset will not be removed unless the TTL is expired or it's been replaced with a new set of IP addresses.

        This seems not to work.

        at DEBUG     Jul 03 12:36:13Z the IP was learned last time: ... HostID=586, SubsystemID=5, Total IPs=1, Responce TTL=299, new TTL=301

        TTL 301 - is still in ipset after 40 minutes:

        XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# date
        Mon Jul  3 15:16:35 CEST 2023 (is 13:16:35Z time)
        XG430_WP02_SFOS 19.5.2 MR-2-Build624 HA-Primary# /sbin/ipset test hostset fqdn,586,0,xxx.xxx.xxx.xxx
        HOSTID=586,TYPE=fqdn
                xxx.xxx.xxx.xxx is in set hostset.

        So it is essential to know how to view the TTL content of the DNS cache on XG firewall

        • 0 in reply to LHerzog

          What kind of DNS Entry are you currently looking at? Is it a CNAME or A, AAAA or what kind of DNS is this? 

          __________________________________________________________________________________________________________________

          • 0 in reply to LuCar Toni

            A Record -> FQDN with one static IP matching