Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG resolves external Domains even no external DNS server is configured

Hey Guys,

I am using the Sophos XG as DHCP server which provides two DNS servers. One is a Pihole and the other one is the SophosXG itself. So normally the devices should resolve internal and external domains via Pihole, but when it is not available, the device should use the XG.

On the XG firewall, I have set the DNS settings to "Static DNS", where I provide a single IP address, which is the Pihole. I did that this way, because I want to resolve internal/external domains via Pihole, but when it is not available, I want to resolve internal entries via XG, but it should not resolve external ones.

This doesn't work, when I shutdown the Pihole. The XG still resolves external domains, so there must be any hard-coded external resolvers. How can I disable that, so the XG only resolves the local configured entries or use the Pihole as a forwarder and no external forwarder?

I read something about disabling pahrming protection, but the behaviour hasn't changed.

Thank you in advance. Hopfully anybody knows how to do that.



Added TAGs
[edited by: Erick Jan at 12:18 AM (GMT -7) on 7 Oct 2024]
Parents Reply Children
  • Hi ,

    The last months I only used the pihole for my client-vlan and only the server-vlan used the XG. Both vlans have only one DNS server configured, so there should be no cached entries of sites I opened from client-vlan. Now I added the XG as second DNS server for the client vlan and the XG'S first DNS forwarder is the pihole, no others are configured. Today I retried it with the following steps:

    1. Shutdown pihole
    2. Stopped XG DNS server service
    3. Started XG DNS server service
    4. Re-apply DNS settings on XG
    5. Restart my notebook (linux)
    6. Open a website I haven't used for couple of weeks

    It needed like 10 seconds until the site started to load, so it still works. The delay is due to timeouts waiting for the shutdown pihole. I started a tcpdump on the sophos to check, if I can find out, what the external resolver is and opend another site I haven't used for months. I used the following command on the advanced XG console.

    • tcpdump -ni any port 53

    I could only find a few information, what the external forwarder is. Here is a snippet of the result.

    53: 24019+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.500117 Port1.20, IN: IP 10.10.20.152.58232 > 10.10.20.254.53: 24019+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.502111 Port1, IN: ethertype IPv4, IP 10.10.20.153.50135 > 10.10.20.254.
    53: 58973+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.502111 Port1.20, IN: IP 10.10.20.153.50135 > 10.10.20.254.53: 58973+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.524522 lo, IN: IP 127.0.0.1.4801 > 127.0.0.1.53: 42148+ A? www.bing.com
    . (30)                                                                          
    09:48:02.524576 lo, IN: IP 127.0.0.1.38677 > 127.0.0.1.53: 42148+ A? www4.bing.c
    om. (31)                                                                        
    09:48:02.587317 Port1, IN: ethertype IPv4, IP 10.10.20.152.45826 > 10.10.20.254.
    53: 29174+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587317 Port1.20, IN: IP 10.10.20.152.45826 > 10.10.20.254.53: 29174+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587451 Port1, IN: ethertype IPv4, IP 10.10.20.152.43817 > 10.10.20.254.
    53: 16501+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587451 Port1.20, IN: IP 10.10.20.152.43817 > 10.10.20.254.53: 16501+ AA
    AA? www.manuXXXXX.tld. (35)                                                     
    09:48:02.587651 Port1, IN: ethertype IPv4, IP 10.10.20.153.37891 > 10.10.20.254.
    53: 20193+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587651 Port1.20, IN: IP 10.10.20.153.37891 > 10.10.20.254.53: 20193+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587957 Port1, IN: ethertype IPv4, IP 10.10.20.153.56099 > 10.10.20.254.
    53: 63282+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587957 Port1.20, IN: IP 10.10.20.153.56099 > 10.10.20.254.53: 63282+ AA
    AA? www.manuXXXXX.tld. (35)
    09:48:05.519934 Port2, OUT: IP WW.XX.YY.ZZ.11068 > 81.91.161.98.53: 56828 Type6
    5? www.manuXXXXX.tld. (35) 
    09:48:05.843357 Port2, OUT: IP WW.XX.YY.ZZ.25422 > 159.69.244.204.53: 23117 Typ
    e65? www.manuXXXXX.tld. (35)                                                    
    09:48:05.843439 Port2, OUT: IP WW.XX.YY.ZZ.44054 > 159.69.115.138.53: 34698 A? 
    www.manuXXXXX.tld. (35)                                                         
    09:48:05.843487 Port2, OUT: IP WW.XX.YY.ZZ.55708 > 159.69.115.138.53: 59467 AAA
    A? www.manuXXXXX.tld. (35) 

    The only external IP addresses are from DENIC and Hetzner, which for me seems to be services where the domain is registred and the site is hosted. So I hope I can let them un-obfuscated. The WW.XX.YY.ZZ is my public sophos XG IP. But I am wondering, why the public interface of my XG makes DNS request to them. Maybe this are hard-coded DNS servers in the XG?

    It is also interessting, why the XG seems to make a DNS request to itself (127.0.0.1) trying to resolve www.bing.com. I am not using bing and I also not visited during the test. Also something that is used on the XG itself?

    PS: The mentioned pharming protection is currently enabled. Let me know if I should try the same test with it disabled, if it could make any difference.

    Thanks and best regards

  • Hi  

    The last months I only used the pihole for my client-vlan and only the server-vlan used the XG. Both vlans have only one DNS server configured, so there should be no cached entries of sites I opened from client-vlan. Now I added the XG as second DNS server for the client vlan and the XG'S first DNS forwarder is the pihole, no others are configured. Today I retried it with the following steps:

    1. Shutdown pihole
    2. Stopped XG DNS server service
    3. Started XG DNS server service
    4. Re-apply DNS settings on XG
    5. Restart my notebook (linux)
    6. Open a website I haven't used for couple of weeks

    It needed like 10 seconds until the site started to load, so it still works. The delay is due to timeouts waiting for the shutdown pihole. I started a tcpdump on the sophos to check, if I can find out, what the external resolver is and opend another site I haven't used for months. I used the following command on the advanced XG console.

    • tcpdump -ni any port 53

    I could only find a few information, what the external forwarder is. Here is a snippet of the result.

    53: 24019+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.500117 Port1.20, IN: IP 10.10.20.152.58232 > 10.10.20.254.53: 24019+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.502111 Port1, IN: ethertype IPv4, IP 10.10.20.153.50135 > 10.10.20.254.
    53: 58973+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.502111 Port1.20, IN: IP 10.10.20.153.50135 > 10.10.20.254.53: 58973+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.524522 lo, IN: IP 127.0.0.1.4801 > 127.0.0.1.53: 42148+ A? www.bing.com
    . (30)                                                                          
    09:48:02.524576 lo, IN: IP 127.0.0.1.38677 > 127.0.0.1.53: 42148+ A? www4.bing.c
    om. (31)                                                                        
    09:48:02.587317 Port1, IN: ethertype IPv4, IP 10.10.20.152.45826 > 10.10.20.254.
    53: 29174+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587317 Port1.20, IN: IP 10.10.20.152.45826 > 10.10.20.254.53: 29174+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587451 Port1, IN: ethertype IPv4, IP 10.10.20.152.43817 > 10.10.20.254.
    53: 16501+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587451 Port1.20, IN: IP 10.10.20.152.43817 > 10.10.20.254.53: 16501+ AA
    AA? www.manuXXXXX.tld. (35)                                                     
    09:48:02.587651 Port1, IN: ethertype IPv4, IP 10.10.20.153.37891 > 10.10.20.254.
    53: 20193+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587651 Port1.20, IN: IP 10.10.20.153.37891 > 10.10.20.254.53: 20193+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587957 Port1, IN: ethertype IPv4, IP 10.10.20.153.56099 > 10.10.20.254.
    53: 63282+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587957 Port1.20, IN: IP 10.10.20.153.56099 > 10.10.20.254.53: 63282+ AA
    AA? www.manuXXXXX.tld. (35)
    09:48:05.519934 Port2, OUT: IP WW.XX.YY.ZZ.11068 > 81.91.161.98.53: 56828 Type6
    5? www.manuXXXXX.tld. (35) 
    09:48:05.843357 Port2, OUT: IP WW.XX.YY.ZZ.25422 > 159.69.244.204.53: 23117 Typ
    e65? www.manuXXXXX.tld. (35)                                                    
    09:48:05.843439 Port2, OUT: IP WW.XX.YY.ZZ.44054 > 159.69.115.138.53: 34698 A? 
    www.manuXXXXX.tld. (35)                                                         
    09:48:05.843487 Port2, OUT: IP WW.XX.YY.ZZ.55708 > 159.69.115.138.53: 59467 AAA
    A? www.manuXXXXX.tld. (35) 

    The only external IP addresses are from DENIC and Hetzner, which for me seems to be services where the domain is registred and the site is hosted. So I hope I can let them un-obfuscated. The WW.XX.YY.ZZ is my public sophos XG IP. But I am wondering, why the public interface of my XG makes DNS request to them. Maybe this are hard-coded DNS servers in the XG?

    It is also interessting, why the XG seems to make a DNS request to itself (127.0.0.1) trying to resolve www.bing.com. I am not using bing and I also not visited during the test. Also something that is used on the XG itself?

    PS: The mentioned pharming protection is currently enabled. Let me know if I should try the same test with it disabled, if it could make any difference.

    Thanks and best regards

  • Hi  DNS request to itself (127.0.0.1) may be due to the FQDN host present for www.bing.com and due to that XG will do a look-up to resolve an IP for that host. Regarding the public interface of XG with DNS query, it could be related to DNS traffic coming from the end DNS server towards their forwarder IP which is becoming normal Internet traffic for the Firewall to forward those queries via its available WAN Interface.  Last part of a query, As it is appliance generated DNS query, pharming protection does not play any role here so it will not make any difference. 

    If still this does not give any lead then I would suggest opening a support case to work on this and to conclude it further. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Hi ,

    to be honest I don't get the point of your reply. Do you mean that can happen when Bing is added to the local DNS entries of the XG? If you mean that, it is definitly not the case.  There are only names added of VMs I am running on a hypervisor.

    The second part, I also don't really understand. My notebook has 2 DNS servers configured. The first is the pihole and the second is the XG. So when I try to open a website, it trys to get the IP to the FQDN from pihole, which is not possible, as it is shutdown. So it tries to get the same information from the second/fallback DNS server, which is the XG. The XG is reachable, but the XG cannot find the DNS entry in the local entries list, so it forwards it to its forwarders, which only is the pihole. As the pihole is not reachable, the query should timeout, as there is no second forwarder in the XGs forwarder list. In this case the browser should fail to load the site. But in this configuration, it works, that the XG resolves the FQDN to IP and so the browser loads the side.

    So my question is, what happens after the last step, when XG forwards the query to the pihole and timeout? Also what can I do to prevent this?

    Hopefully you can answer this in more detail. I am a home-user only, so I cannot create a support ticket.

    Thanks a lot in advance and best regards

  • Hi   Please find below more details or explanations on how Sophos [SFOS] DNS service behaves as of today:

    In general, the DNS server first tries to resolve queries from its cache. If the entry is not there in the cache, it tries to forward the query to configured DNS forwarders (in this case pi-hole DNS Server IP). If it doesn't resolve within a given period, the Firewall DNS service tries to check the next configured DNS forwarder (In your setup/use-case scenario, there is no other forwarder entry defined in GUI under DNS settings - one can configure up to 3 such forwarders). If none of this resolves the query, the DNS server forwards the request to the "Default root server".

    So the entries that are seen in tcpdump (81.91.161.98, 159.69.244.204, 159.69.115.138) should be the default root service that is available in your region. [Default DNS server list is unique and global (https://www.iana.org/domains/root/servers) however it seems it is distributed region-wise to load balance DNS traffic and hence we are seeing these IPs for those DNS requests]

    Unfortunately, there is no way to disable this functionality/capability in the SFOS DNS service working. I hope this information addresses your last comment question.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Hi ,

    thanks for you answer. Sadly that this cannot be disabled. Maybe I have to look for another DNS server or just accept it,

    Thanks and best regards

  • Hi  Yes the way forward in your scenario and circumstances to avoid the issue you are observing is not to use SFOS as a DNS service and use another DNS server. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.