Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS request to DNS over Site2Site VPN

Hello!

We are using a Hardware Firewall XGS-2100 to connect to two datacenters running our AD Controller there. The AD is also our DNS Server.

This worked fine for a long time. For some reason one of the VPN stopped working and one of the AD Controller was not reachable anymore.

 

Since the XG2100 is used to handle the DNS requests of the clients. It turned out that not every request was answered anymore.

 

So this lead to the following questing:

Is the Firewall not caching any DNS data for client requests? Is it only relaying the request to the DNS set in the configuration?

And since I still had a working AD Controller why was the request not sent to the working one? Is this just a randomly forwarding the request? So if one DSN server is down will request be still sent to this and fail?

Thanks! 

Christian



This thread was automatically locked due to age.
  • Hi Christian,

    Depending on the domain you're trying to resolve, the firewall can only cache the DNS entry based on the TTL. 

    For your working AD Controller, kindly add its IP address to the XG's DNS request route so the XG firewall can reroute the request to that server.

    If the issue persist we need to check how the XG is handling the DNS request using packet capture (reference: Sophos Firewall: How to TCPdump - Recommended Reads - Sophos Firewall - Sophos Community)

    tcpdump -veni any host {client PC IP} or host {domain name} and port 53; this should show any activity with the Client PC IP or the domain that needs to be resolved and the DNS port 53

    Lets us know how this works on your end. Hope this helps.

  • Hello Christian,

    I had the observation in an older release of SFOS, that the DNS request did always "stick" to the first DNS it has already reached. When this came offline, it didn't try to contact the other DNS-Servers. Talking about DNS request route entrie here.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.