Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1798 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS over TLS (DoT) causes "Invalid Traffic" but only on IPv6

w0rmh0le

Hi,

I want some local DNS servers to do DNS over TLS (DoT) and have configured them accordingly. 

I created a rule allowing TCP 853 for those hosts - both IPv4 and IPv6. Because of IPv6 is assigned via PD I used the client MAC address (on local LAN) as source classifier. I then allow the traffic go out of the GW interface (with MASQ) on TCP port 853.

For IPv4 things seem to be ok, but on IPv6 I get still lots of logs with "Invalid Traffic" but not on all of them. See screenshot below. Same SCR and DST IP, Port but still some are ok others not.

Doing some research it seems that it would have to do with connection tracking on the Sophos XG but I'm not understanding why IPv6 throws these errors, while IPv4 doesn't!

I can fall back to DNS over HTTPs (DoH) but I'd prefer DoT because that could be tracked as separate traffic type vs. DoH. 

Any clues how I can get rid of the blocking for IPv6?

thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, what is the configuration settings configured under the CONFIGURE > Network > DNS > DNS query configurations:
    Additionally refer the Invalid traffic events, you can also turn off this events from the system services > Log settings > Log settings > Invalid traffic > for Local reporting you can untick the option.  


    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    CONFIGURE > Network > DNS > DNS query configurations is configured like shown. "choose server based on incoming requests record type". I've configure 2 local DNS servers

    Currently the .20 DNS is configured to do DoT while for failback (temporarily) .10 is doing "normal" DNS on port 53. I want to got full DoT for all servers. Those servers will provide all LAN clients with DNS services, so eventually I will redirect all DNS port 53 so that it is going to my internal servers. 

    In the menatime the problem however still exists:

    The problem is that DoT traffic on IPv4 with my ruleset works fine and does not throw any errors. But DoT IPv6 traffic does randomly generate errors like shown in the log screenshot above. DoT v6 seems to confuse the connection tracking while in IPv4 it works!

  • 0 in reply to w0rmh0le

    So, basically you are pointing your external XG DNS servers at your internal servers? The other question is how? You are using link local IPv6 addresses for your internal servers? While your 20 is configured to do DoT the XG will only do port 53 DNS calls.

    What are your firewall rules to allow DoT out? If you are using link local for your servers, you will need a NAT rule,

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 EAP

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to w0rmh0le

    So, basically you are pointing your external XG DNS servers at your internal servers? The other question is how? You are using link local IPv6 addresses for your internal servers? While your 20 is configured to do DoT the XG will only do port 53 DNS calls.

    What are your firewall rules to allow DoT out? If you are using link local for your servers, you will need a NAT rule,

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 EAP

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML