This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The sophos UTM DNS / DHCP ui is counter-intuitive to use. How do I make it easier?

The burr under my saddle all these years that I have been running a UTM has been the wonkyness of the UI for DNS and DHCP.  It has finally reached a point where I am tired of dealing with it.

:D

First is DNS.  I have the UTM's DNS forwarded to the domain controller on the network.  The domain controller is also providing DHCP services for the network.  Even though manual PTR lookups from any host on the network will return a valid name, the UTM chokes:

Does anyone know why I am getting "RESOLVING" as opposed to a valid hostname?

Thanks!

John



This thread was automatically locked due to age.
Parents Reply Children
  • DouglasFoster said:
    you want UTM to query Google or Quad9 DNs, with a special routing only for the internal domains and reverse lookups that it needs.

    I agree that this type of configuration is certainly one way to do it.  However.  (grin)  By sending DNS traffic to Google means a) that you trust Google, b) you cannot run a DNS blacklist and c) you cannot run a split horizon DNS.

    I prefer to run my own DNS servers that query root, I run blacklists on said servers and I run a split horizon.  So sending DNS traffic out in this suggested manner is not really an option for me.  So that you all know, I have two egress points on my network.  The first is out through the UTM for content filtering and second egress has no content filtering but is port and rate restricted via PF.

    I know that you guys/gals have a ton of experience with the administration of UTM's and I reconize that the nuances can be subtle so I am grateful for continued input!

    That said, at a high level, I am hard pressed to see how my network configuration is unworkable.  Additionally, the tcpdump screenshot I pasted in clearly shows the UTM querying for a PTR and got a response.  Where we are at now is what did the UTM do with that response and on a technical level I still don't understand the concept of why "Request Routing" is even needed.  What problem does this solve?

    Thanks!

    John

  • John knows the following, but others might not...  WebAdmin and the config-daemon do create the iptables, bind and other configurations that allow the UTM to do what it does.  It's difficult to get the underlying tools to do what one might do at the command line.  Even doing them at the command line will require re-doing them in many cases unless there's a cc command that lets you change the underlying databases of settings.

    Just for grins, try changing the Forwarder in WebAdmin to your bind server, creating the Request Route for rDNS and making the UTM the first forwarder for your Windows server.  Does that change the performance?

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:
    ... unless there's a cc command that lets you change ..

    Has someone put together a list of cc commands that are available?

    Just for grins, try changing the Forwarder in WebAdmin to your bind server, creating the Request Route for rDNS and making the UTM the first forwarder for your Windows server.

    It looks like your original suggestion to enable "request routing" for in-addr.arpa is what did the trick.  And I guess I needed to let some time pass because I was expecting instant results.

    (grin)

    For hosts that still were not getting PTR resolution I have adjusted DHCP to try and make sure the server registers all leases:

    Failing that my testing has indicated that static in-addr.arpa entries will work too.

    Thanks for all of the help!

    John