This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The sophos UTM DNS / DHCP ui is counter-intuitive to use. How do I make it easier?

The burr under my saddle all these years that I have been running a UTM has been the wonkyness of the UI for DNS and DHCP.  It has finally reached a point where I am tired of dealing with it.

:D

First is DNS.  I have the UTM's DNS forwarded to the domain controller on the network.  The domain controller is also providing DHCP services for the network.  Even though manual PTR lookups from any host on the network will return a valid name, the UTM chokes:

Does anyone know why I am getting "RESOLVING" as opposed to a valid hostname?

Thanks!

John



This thread was automatically locked due to age.
Parents
  • After rereading your note on a big screen instead of a phone, I am going to backtrack.   I think I see your root problem.

    A "DNS Host" object is a host name that is resolved using a DNS server outside of the UTM.

    A "Host" object always has an IP address (for use in configuration lists that use network objects.)   Optionally, you can associate a DNS hostname (which creates a forward pointer in the UTM DNS server).   Then if you check the "reverse DNS" checkbox, you get a reverse DNS pointer in the UTM DNS server.  

    Because the object is "Resolving," it implies that you have created a "DNS Host" object for 10.41.42.43.  If you know the name and IP address are static, you should use a Host object.  If you really want to use a DNS Host object, the host name must be specified in forward-DNS format:   43.42.41.10.in-addr.arpa

    Assuming that you have a "DNS Host" object with a host name of "10.41.42.43", it will never resolve (and therefore never do anything useful) because "10.41.42.43" is not a valid forward-DNS host name.

    There is no good reason to create "DNS Host" objects for in-addr.arpa addresses.   In UTM configuration tasks, if you want to configure using an IP address, you want to use a Host object for the address, not an in-addr.arpa lookup (which will return a host name rather than an IP Address.)   If you want to reference a DNS host name, you use either a Host object with a DNS name attached (for local resolution), or a DNS Host object (for external resolution by your domain controller.)  For host name references, I prefer DNS Host objects, because it ensures that UTM will reference the object by name rather than by IP address, which is important if certificate validation is involved.

    Reverse lookup zones are a way of allowing UTM to use your domain controller to resolve IP addresses to host names, so that your log files (such as webfilter log) will contain host names instead of IP addresses.  As far as I can recall, UTM's Reverse lookup zones are not used for, or useful for, any other purpose.   In a typical environment, desktops use DHCP, so there is the possibility that the host name when the log was created will be different than the host name when the log is reviewed.   If the log is telling you that something inappropriate happened on 10.10.251.251, the IP Address by itself may not be sufficient to help you find the problem machine, but the host name provides a certain identity.

Reply
  • After rereading your note on a big screen instead of a phone, I am going to backtrack.   I think I see your root problem.

    A "DNS Host" object is a host name that is resolved using a DNS server outside of the UTM.

    A "Host" object always has an IP address (for use in configuration lists that use network objects.)   Optionally, you can associate a DNS hostname (which creates a forward pointer in the UTM DNS server).   Then if you check the "reverse DNS" checkbox, you get a reverse DNS pointer in the UTM DNS server.  

    Because the object is "Resolving," it implies that you have created a "DNS Host" object for 10.41.42.43.  If you know the name and IP address are static, you should use a Host object.  If you really want to use a DNS Host object, the host name must be specified in forward-DNS format:   43.42.41.10.in-addr.arpa

    Assuming that you have a "DNS Host" object with a host name of "10.41.42.43", it will never resolve (and therefore never do anything useful) because "10.41.42.43" is not a valid forward-DNS host name.

    There is no good reason to create "DNS Host" objects for in-addr.arpa addresses.   In UTM configuration tasks, if you want to configure using an IP address, you want to use a Host object for the address, not an in-addr.arpa lookup (which will return a host name rather than an IP Address.)   If you want to reference a DNS host name, you use either a Host object with a DNS name attached (for local resolution), or a DNS Host object (for external resolution by your domain controller.)  For host name references, I prefer DNS Host objects, because it ensures that UTM will reference the object by name rather than by IP address, which is important if certificate validation is involved.

    Reverse lookup zones are a way of allowing UTM to use your domain controller to resolve IP addresses to host names, so that your log files (such as webfilter log) will contain host names instead of IP addresses.  As far as I can recall, UTM's Reverse lookup zones are not used for, or useful for, any other purpose.   In a typical environment, desktops use DHCP, so there is the possibility that the host name when the log was created will be different than the host name when the log is reviewed.   If the log is telling you that something inappropriate happened on 10.10.251.251, the IP Address by itself may not be sufficient to help you find the problem machine, but the host name provides a certain identity.

Children
No Data