Sophos DNS Protection setup issue

We have signed up, and setup as per user guides.

We have setup DNS protection as per user guide, installed the ssl cert, created locations, moved to supplied DNS servers.

However, websites are not getting blocked. The usage summary page shows total queries and policy blocks increase as we access both allowed and blocked categories, however all websites load fine without issues or blocked messages.

The active locations and site show as in use. and the DNS query count continue to rise

We have also setup a dedicated deny policy and added a few websites, these still load and are allowed without issues.

Any ideas? i have tried logging with support but because it's early access was forwarded to this community.

[edited by: Paul Sullivan1 at 9:54 AM (GMT -8) on 13 Dec 2023]
  • Hi  ,

    Thanks for signing up for DNS Protection EAP. 

    If a Policy is configured to filter by Domain list, those specific websites defined in Domain list should be allowed/blocked based on the associated action in the Policy for that Domain list. We would like to know more about how the policy is configured.

    If you can send the "Feedback" from Central (available in DNS Protection Location/Policy/Domains/Installers page), it would enable us to connect over Email to discuss the concern further.

    Looking forward for your response. Thanks in advance.

  • great thanks, submitted feedback, also fixed typo above to make it clearer.

  • OK we finally got to the bottom of this issue with Sophos support.

    Was the WEB - Pharming protection in the XG

    Under Web -> general setting - Advanced
    Pharming protection - Protect users against domain name poisoning attacks by repeating DNS lookups before connecting. This option can be enforced by the web proxy only.

    You will be unable to use this feature at the moment when using Sophos DNS Protection till they update or make a fix for this, guessing allow list for both products to be whitelisted.

  • Thanks again for your patience in getting to the bottom of this issue, Paul.

    To clarify on your final point - one of the reasons you were seeing this issue was because the Firewall was not using DNS Protection while the Endpoint was using it directly. The Firewall was therefore getting completely different DNS results than the endpoint.

    Pharming Protection will still work successfully if the Firewall is also configured to use the DNS Protection resolvers.

    But we are also investigating ways to avoid applying Pharming Protection checks for the blockpage IP addresses in future, to avoid the confusion this caused.