This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG DNS issue with Docker Containers

Dango 11 months ago

Hi, I have a bizarre issue with the docker container and Sophos XG's DNS resolver.

Let me lay out my setup first. I am running Sophos XG Home 20.0.2MR2 on a Dell R210 II. There is no IPv6 enabled anywhere.

My docker host is Ubuntu 24.04 LTS and docker version 27.3.1. It's on DHCP with DNS pointing to my Sophos XG interface.

Here is my issue. In any of the containers:

ping "my.internal.FQDN" results in Bad Address

ping "my.TLD" result success ping.

ping "external FQDS like google.com" result success ping.

ping -4 "my.internal.FQDN" result in success.

ping -6 "my.internal.fqdn" result in Bad Address

nslookup "my.internal.fqdn" able to resolve IPv4, and NXDOMAIN on IPv6.

On the host, both ping and nslookup are fine and only return ipv4.

On the Sophos XG. I have tried all 4 DNS query configurations. No different.

But if I can change the DNS server to my domain controller on the docker host, the container can ping internal FQDN without any issues.

I am total lost here. Did I configure something wrong on the Sophos XG or docker?

Please help. Haven't able to sleep while for a week now.

This thread was automatically locked due to age.

0 Mayur Makvana 11 months ago

Hello,

The Firewall works as DNS forwarder. What IP addresses are added in Sophos for the DNS? Does it has your internal domain controller added?

You may try adding the DNS host entry for your internal server.

docs.sophos.com/.../index.html

Mayur Makvana
Technical Account Manager | Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
- 0 Dango 11 months ago in reply to Mayur Makvana
  
  Those are internal IPs in the 10.0.0.0/8 range. The host entry has already been added, and all hosts have been working fine for years. The DNS IP on Sophos is ping to google DNS as I don't need them to check with my DC which is a separate investment with limited records compared to the firewall DNS. The only issue is in the docker container; it is not resolved correctly in the ping.
  
  Let me summarize the behavior. DNS works fine on any other system besides the container in docker.
  
  In the container, NSLOOKUP resolves the FQDN, but ping requires -4 to force retrieve IPv4 or else it fails to resolve the FQDN. And only the internal domain has this way. Also, TLD can be resolved with ping without -4. Choosing another internal DNS server other than Sophos does not have this issue.
  - 0 dirkkotte 11 months ago in reply to Dango
    
    ip4 DNS answers may contain ip4 or/and ip6 adresses.
    Possible the XG generate a Ip6 anser (NX-Host) with "higher priority" ... whyever.
    how about to disable IPv6 within contaiiner - os?
    PS: before i activated IPv6 within my LAN, i have a similar problem with Debian updates ... it tried loading updates from IPv6 ... while IPv6 was not available.
    
    Dirk
    
    Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.
  - 0 Dango 11 months ago in reply to dirkkotte
    
    I tried. I disabled IPv6 on all network interfaces on the Docker host and set IPV6 as disabled on the Docker daemon, but I had no luck. in the docker-compose file, I also set the default network with enable_ipv6 : false. I don't know what else to try at this point. I am surprised this is not a common issue with Sophos users.