Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 775 views
  • Users 0 members are here
Options
Suggested

Sophos XG DNS issue with Docker Containers

Dango

Hi, I have a bizarre issue with the docker container and Sophos XG's DNS resolver.

Let me lay out my setup first. I am running Sophos XG Home 20.0.2MR2 on a Dell R210 II. There is no IPv6 enabled anywhere.

My docker host is Ubuntu 24.04 LTS and docker version 27.3.1. It's on DHCP with DNS pointing to my Sophos XG interface.

Here is my issue. In any of the containers:

ping "my.internal.FQDN" results in Bad Address

ping "my.TLD" result success ping.

ping "external FQDS like google.com" result success ping.

ping -4 "my.internal.FQDN" result in success.

ping -6 "my.internal.fqdn" result in Bad Address

nslookup "my.internal.fqdn" able to resolve IPv4, and NXDOMAIN on IPv6.

On the host, both ping and nslookup are fine and only return ipv4.

On the Sophos XG. I have tried all 4 DNS query configurations. No different.

But if I can change the DNS server to my domain controller on the docker host, the container can ping internal FQDN without any issues.

I am total lost here. Did I configure something wrong on the Sophos XG or docker?

Please help. Haven't able to sleep while for a week now.



Edited TAGs
[edited by: Erick Jan at 12:42 AM (GMT -7) on 25 Oct 2024]
Parents
  • 0

    Hello,

    The Firewall works as DNS forwarder. What IP addresses are added in Sophos for the DNS? Does it has your internal domain controller added?

    You may try adding the DNS host entry for your internal server.

    docs.sophos.com/.../index.html

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Mayur Makvana

    Those are internal IPs in the 10.0.0.0/8 range. The host entry has already been added, and all hosts have been working fine for years. The DNS IP on Sophos is ping to google DNS as I don't need them to check with my DC which is a separate investment with limited records compared to the firewall DNS. The only issue is in the docker container; it is not resolved correctly in the ping. 

    Let me summarize the behavior. DNS works fine on any other system besides the container in docker.

    In the container, NSLOOKUP resolves the FQDN, but ping requires -4 to force retrieve IPv4 or else it fails to resolve the FQDN. And only the internal domain has this way. Also, TLD can be resolved with ping without -4. Choosing another internal DNS server other than Sophos does not have this issue.

  • 0 in reply to Dango

    ip4 DNS answers may contain ip4 or/and ip6 adresses.
    Possible the XG generate a Ip6 anser (NX-Host) with "higher priority" ... whyever.
    how about to disable IPv6 within contaiiner - os?
    PS: before i activated IPv6 within my LAN, i have a similar problem with Debian updates ... it tried loading updates from IPv6 ... while IPv6 was not available.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to Dango

    ip4 DNS answers may contain ip4 or/and ip6 adresses.
    Possible the XG generate a Ip6 anser (NX-Host) with "higher priority" ... whyever.
    how about to disable IPv6 within contaiiner - os?
    PS: before i activated IPv6 within my LAN, i have a similar problem with Debian updates ... it tried loading updates from IPv6 ... while IPv6 was not available.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
Unfiltered HTML