Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG resolves external Domains even no external DNS server is configured

Hey Guys,

I am using the Sophos XG as DHCP server which provides two DNS servers. One is a Pihole and the other one is the SophosXG itself. So normally the devices should resolve internal and external domains via Pihole, but when it is not available, the device should use the XG.

On the XG firewall, I have set the DNS settings to "Static DNS", where I provide a single IP address, which is the Pihole. I did that this way, because I want to resolve internal/external domains via Pihole, but when it is not available, I want to resolve internal entries via XG, but it should not resolve external ones.

This doesn't work, when I shutdown the Pihole. The XG still resolves external domains, so there must be any hard-coded external resolvers. How can I disable that, so the XG only resolves the local configured entries or use the Pihole as a forwarder and no external forwarder?

I read something about disabling pahrming protection, but the behaviour hasn't changed.

Thank you in advance. Hopfully anybody knows how to do that.



Added TAGs
[edited by: Erick Jan at 12:18 AM (GMT -7) on 7 Oct 2024]
Parents
  • Hi  Thank you for reaching out to the Sophos community team. When you shut down the Pihole, have you cleared the DNS caches just by re-applying the DNS settings on XG? Configure -> Network -> DNS and apply the same settings to validate whether the external domain response is from the DNS cache or not! OR  flush the DNS cache by stopping and starting the DNS service on the GUI and see how it goes again when you shut down the Pihole!

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Hi ,

    The last months I only used the pihole for my client-vlan and only the server-vlan used the XG. Both vlans have only one DNS server configured, so there should be no cached entries of sites I opened from client-vlan. Now I added the XG as second DNS server for the client vlan and the XG'S first DNS forwarder is the pihole, no others are configured. Today I retried it with the following steps:

    1. Shutdown pihole
    2. Stopped XG DNS server service
    3. Started XG DNS server service
    4. Re-apply DNS settings on XG
    5. Restart my notebook (linux)
    6. Open a website I haven't used for couple of weeks

    It needed like 10 seconds until the site started to load, so it still works. The delay is due to timeouts waiting for the shutdown pihole. I started a tcpdump on the sophos to check, if I can find out, what the external resolver is and opend another site I haven't used for months. I used the following command on the advanced XG console.

    • tcpdump -ni any port 53

    I could only find a few information, what the external forwarder is. Here is a snippet of the result.

    53: 24019+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.500117 Port1.20, IN: IP 10.10.20.152.58232 > 10.10.20.254.53: 24019+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.502111 Port1, IN: ethertype IPv4, IP 10.10.20.153.50135 > 10.10.20.254.
    53: 58973+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.502111 Port1.20, IN: IP 10.10.20.153.50135 > 10.10.20.254.53: 58973+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.524522 lo, IN: IP 127.0.0.1.4801 > 127.0.0.1.53: 42148+ A? www.bing.com
    . (30)                                                                          
    09:48:02.524576 lo, IN: IP 127.0.0.1.38677 > 127.0.0.1.53: 42148+ A? www4.bing.c
    om. (31)                                                                        
    09:48:02.587317 Port1, IN: ethertype IPv4, IP 10.10.20.152.45826 > 10.10.20.254.
    53: 29174+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587317 Port1.20, IN: IP 10.10.20.152.45826 > 10.10.20.254.53: 29174+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587451 Port1, IN: ethertype IPv4, IP 10.10.20.152.43817 > 10.10.20.254.
    53: 16501+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587451 Port1.20, IN: IP 10.10.20.152.43817 > 10.10.20.254.53: 16501+ AA
    AA? www.manuXXXXX.tld. (35)                                                     
    09:48:02.587651 Port1, IN: ethertype IPv4, IP 10.10.20.153.37891 > 10.10.20.254.
    53: 20193+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587651 Port1.20, IN: IP 10.10.20.153.37891 > 10.10.20.254.53: 20193+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587957 Port1, IN: ethertype IPv4, IP 10.10.20.153.56099 > 10.10.20.254.
    53: 63282+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587957 Port1.20, IN: IP 10.10.20.153.56099 > 10.10.20.254.53: 63282+ AA
    AA? www.manuXXXXX.tld. (35)
    09:48:05.519934 Port2, OUT: IP WW.XX.YY.ZZ.11068 > 81.91.161.98.53: 56828 Type6
    5? www.manuXXXXX.tld. (35) 
    09:48:05.843357 Port2, OUT: IP WW.XX.YY.ZZ.25422 > 159.69.244.204.53: 23117 Typ
    e65? www.manuXXXXX.tld. (35)                                                    
    09:48:05.843439 Port2, OUT: IP WW.XX.YY.ZZ.44054 > 159.69.115.138.53: 34698 A? 
    www.manuXXXXX.tld. (35)                                                         
    09:48:05.843487 Port2, OUT: IP WW.XX.YY.ZZ.55708 > 159.69.115.138.53: 59467 AAA
    A? www.manuXXXXX.tld. (35) 

    The only external IP addresses are from DENIC and Hetzner, which for me seems to be services where the domain is registred and the site is hosted. So I hope I can let them un-obfuscated. The WW.XX.YY.ZZ is my public sophos XG IP. But I am wondering, why the public interface of my XG makes DNS request to them. Maybe this are hard-coded DNS servers in the XG?

    It is also interessting, why the XG seems to make a DNS request to itself (127.0.0.1) trying to resolve www.bing.com. I am not using bing and I also not visited during the test. Also something that is used on the XG itself?

    PS: The mentioned pharming protection is currently enabled. Let me know if I should try the same test with it disabled, if it could make any difference.

    Thanks and best regards

Reply
  • Hi ,

    The last months I only used the pihole for my client-vlan and only the server-vlan used the XG. Both vlans have only one DNS server configured, so there should be no cached entries of sites I opened from client-vlan. Now I added the XG as second DNS server for the client vlan and the XG'S first DNS forwarder is the pihole, no others are configured. Today I retried it with the following steps:

    1. Shutdown pihole
    2. Stopped XG DNS server service
    3. Started XG DNS server service
    4. Re-apply DNS settings on XG
    5. Restart my notebook (linux)
    6. Open a website I haven't used for couple of weeks

    It needed like 10 seconds until the site started to load, so it still works. The delay is due to timeouts waiting for the shutdown pihole. I started a tcpdump on the sophos to check, if I can find out, what the external resolver is and opend another site I haven't used for months. I used the following command on the advanced XG console.

    • tcpdump -ni any port 53

    I could only find a few information, what the external forwarder is. Here is a snippet of the result.

    53: 24019+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.500117 Port1.20, IN: IP 10.10.20.152.58232 > 10.10.20.254.53: 24019+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.502111 Port1, IN: ethertype IPv4, IP 10.10.20.153.50135 > 10.10.20.254.
    53: 58973+ Type65? www.manuXXXXX.tld. (35)                                      
    09:48:02.502111 Port1.20, IN: IP 10.10.20.153.50135 > 10.10.20.254.53: 58973+ Ty
    pe65? www.manuXXXXX.tld. (35)                                                   
    09:48:02.524522 lo, IN: IP 127.0.0.1.4801 > 127.0.0.1.53: 42148+ A? www.bing.com
    . (30)                                                                          
    09:48:02.524576 lo, IN: IP 127.0.0.1.38677 > 127.0.0.1.53: 42148+ A? www4.bing.c
    om. (31)                                                                        
    09:48:02.587317 Port1, IN: ethertype IPv4, IP 10.10.20.152.45826 > 10.10.20.254.
    53: 29174+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587317 Port1.20, IN: IP 10.10.20.152.45826 > 10.10.20.254.53: 29174+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587451 Port1, IN: ethertype IPv4, IP 10.10.20.152.43817 > 10.10.20.254.
    53: 16501+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587451 Port1.20, IN: IP 10.10.20.152.43817 > 10.10.20.254.53: 16501+ AA
    AA? www.manuXXXXX.tld. (35)                                                     
    09:48:02.587651 Port1, IN: ethertype IPv4, IP 10.10.20.153.37891 > 10.10.20.254.
    53: 20193+ A? www.manuXXXXX.tld. (35)                                           
    09:48:02.587651 Port1.20, IN: IP 10.10.20.153.37891 > 10.10.20.254.53: 20193+ A?
     www.manuXXXXX.tld. (35)                                                        
    09:48:02.587957 Port1, IN: ethertype IPv4, IP 10.10.20.153.56099 > 10.10.20.254.
    53: 63282+ AAAA? www.manuXXXXX.tld. (35)                                        
    09:48:02.587957 Port1.20, IN: IP 10.10.20.153.56099 > 10.10.20.254.53: 63282+ AA
    AA? www.manuXXXXX.tld. (35)
    09:48:05.519934 Port2, OUT: IP WW.XX.YY.ZZ.11068 > 81.91.161.98.53: 56828 Type6
    5? www.manuXXXXX.tld. (35) 
    09:48:05.843357 Port2, OUT: IP WW.XX.YY.ZZ.25422 > 159.69.244.204.53: 23117 Typ
    e65? www.manuXXXXX.tld. (35)                                                    
    09:48:05.843439 Port2, OUT: IP WW.XX.YY.ZZ.44054 > 159.69.115.138.53: 34698 A? 
    www.manuXXXXX.tld. (35)                                                         
    09:48:05.843487 Port2, OUT: IP WW.XX.YY.ZZ.55708 > 159.69.115.138.53: 59467 AAA
    A? www.manuXXXXX.tld. (35) 

    The only external IP addresses are from DENIC and Hetzner, which for me seems to be services where the domain is registred and the site is hosted. So I hope I can let them un-obfuscated. The WW.XX.YY.ZZ is my public sophos XG IP. But I am wondering, why the public interface of my XG makes DNS request to them. Maybe this are hard-coded DNS servers in the XG?

    It is also interessting, why the XG seems to make a DNS request to itself (127.0.0.1) trying to resolve www.bing.com. I am not using bing and I also not visited during the test. Also something that is used on the XG itself?

    PS: The mentioned pharming protection is currently enabled. Let me know if I should try the same test with it disabled, if it could make any difference.

    Thanks and best regards

Children
No Data