Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1891 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS over TLS (DoT) causes "Invalid Traffic" but only on IPv6

w0rmh0le

Hi,

I want some local DNS servers to do DNS over TLS (DoT) and have configured them accordingly. 

I created a rule allowing TCP 853 for those hosts - both IPv4 and IPv6. Because of IPv6 is assigned via PD I used the client MAC address (on local LAN) as source classifier. I then allow the traffic go out of the GW interface (with MASQ) on TCP port 853.

For IPv4 things seem to be ok, but on IPv6 I get still lots of logs with "Invalid Traffic" but not on all of them. See screenshot below. Same SCR and DST IP, Port but still some are ok others not.

Doing some research it seems that it would have to do with connection tracking on the Sophos XG but I'm not understanding why IPv6 throws these errors, while IPv4 doesn't!

I can fall back to DNS over HTTPs (DoH) but I'd prefer DoT because that could be tracked as separate traffic type vs. DoH. 

Any clues how I can get rid of the blocking for IPv6?

thanks!



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, what is the configuration settings configured under the CONFIGURE > Network > DNS > DNS query configurations:
    Additionally refer the Invalid traffic events, you can also turn off this events from the system services > Log settings > Log settings > Invalid traffic > for Local reporting you can untick the option.  


    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi,

    i don’t think that will have any affect on the issue because the process does not use the XG dns settings.  XG currently does not support dot or doh.
    Do you have decrypt and scan enabled on your IPv6 rule and not on your ip4 rule?

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    CONFIGURE > Network > DNS > DNS query configurations is configured like shown. "choose server based on incoming requests record type". I've configure 2 local DNS servers

    Currently the .20 DNS is configured to do DoT while for failback (temporarily) .10 is doing "normal" DNS on port 53. I want to got full DoT for all servers. Those servers will provide all LAN clients with DNS services, so eventually I will redirect all DNS port 53 so that it is going to my internal servers. 

    In the menatime the problem however still exists:

    The problem is that DoT traffic on IPv4 with my ruleset works fine and does not throw any errors. But DoT IPv6 traffic does randomly generate errors like shown in the log screenshot above. DoT v6 seems to confuse the connection tracking while in IPv4 it works!

  • 0 in reply to rfcat_vk

    yes, I agree with you. I'm not trying to have the firewall itself do DoT but rather my local DNS servers.

    I don't have decrypt enabled neither for IPv6 nor IPv4 and would also not like to do it. I'm not a fan of this "privacy intrusion". 

    What did cross my mind though is that IPv4 of course uses masquerading while IPv6 would not and would be native traffic flowing without translation between the LAN DNS and the upstream DNS. So maybe connection tracking is ok, as long as it passes through MASQ but causes issues with native IPv6 ? Just a thought.

  • 0 in reply to w0rmh0le

    So, basically you are pointing your external XG DNS servers at your internal servers? The other question is how? You are using link local IPv6 addresses for your internal servers? While your 20 is configured to do DoT the XG will only do port 53 DNS calls.

    What are your firewall rules to allow DoT out? If you are using link local for your servers, you will need a NAT rule,

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML