This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Sophos UTM 9 Firewall or IDS blocking EDNS0 queries (UDP packets that are larger than 512 byte)?

Hello,

our clients are using the integrated DNS server from Windows Server 2012.
Both the clients and the Windows servers are behind the Sophos UTM 9 firewall.

A few days ago we have enabled DNSSec validation for remote queries on the Windows servers. Since then some websites (like gmx.net, web.de) stopped working because of failed DNS resolution. It is toggeling between working and not working.

I've found the following support article from Microsoft:
https://support.microsoft.com/en-us/help/832223/some-dns-name-queries-are-unsuccessful-after-you-deploy-a-windows-base

Would it be possible that Sophos UTM firewall or IDS is blocking EDNS0 queries somehow?

Thank you,
Christoph

This thread was automatically locked due to age.

0 dirkkotte over 4 years ago

Hi,

i don't know such behaviour.
But first i would check IPS and DNS Log Files. Blockings should be reported there.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Christoph Mitasch over 4 years ago in reply to dirkkotte

Hello Dirk,

thanks for your reply. I've checked die IPS and "DNS Proxy" log, but nothing suspicious there.
Since we are using the Windows servers for DNS resolution, the DNS Log should not be relevant I guess?

Thanks,
Christoph
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaydeep over 4 years ago

Hi Christoph Mitasch

I suggest checking the packetfilter.log for the Server IP address and see if there is any Drop/Reject packets. Further, if you see that UTM9 is dropping packets, please refer to this KBA Packetfilter logfiles on the Sophos UTM This will help you get an idea about any drops.

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 4 years ago
I agree that there should be a log entry somewhere if the traffic is blocked. The packetfilter / firewall live log is abbreviated, so it is better to work from a download of the full log.

(The packetfilter has false positives associated with session termination, because the connection tracker stops tracking as soon as one "bye" message is seen. This causes the reply to be blocked, and is evidenced by "RST" or "FIN" in the tcpflags token.)

Debugging thoughts:

It would help to break down your traffic flow, to clarify whether UTM DNS has any involvement in the failed lookups.

Is UTM running with DNS SEC on or off?

Does the Active Directory DNS server relay to UTM? Does UTM relay to Active Directory?

Can UTM query Active Directory DNS successfully?

Can Active Directory DNS query UTM successfully?

Do you use Standard Mode or Transparent Mode filtering? UTM does DNS lookups when you are using Standard Mode, and when using Transparent Mode with Pharming Protection enabled.

Are you using a forwarder for all traffic, or do some queries use root hints? Do your symptoms change depending on the forwarder used - Quad9, Cloudflare, Google, or something else?

You also want to look at the error returned by the failed DNS lookups. Are you getting:

a response timeout (no answer), which indicates a blocked packet, or

a NXDOMAIN (not found), which probably implies a result where DNS SEC signatures are expected.

DNS SEC in UTM

This also raises the question of whether UTM DNS SEC should be enabled or disabled. Active Directory will consider UTM to be a remote server, so it will expect DNS SEC to be enabled if it has any reason to query UTM. But enabling DNS SEC on UTM is fraught with challenges. UTM supposedly has embedded support for DNS SEC, but it is not well documented and my attempts to gain more detail have been frustrating, using both support and sales channels. Here is my current understanding:

- If the DNS SEC feature is enabled, UTM requires all DNS servers to have DNS SEC servers to be fully DNS SEC compliant. This appears to prevent it from sending DNS queries to Active Directory, which has a limited implementation of DNS SEC. For most installations, this is not viable. Of course, Active Directory capabilities vary with each Server version, and I am not up to speed on the latest Microsoft changes.

- The UTM implementation of DNS SEC does not appear to support DNS over TCP, a feature which does not appear to be required but does seem to be normative, for performance and security reasons.

- There are a few posts in this forum from users who attempted to enable DNS SEC on their UTM, all of which seem to have failed. I have not found anyone who reported success.

Bandwidth

We know that any organization generates a lot of DNS traffic. I have not been able to find any guidelines about how much incremental bandwidth consumption should be expected when switching from DNS to DNS SEC successfully. Any such overhead will grow if DNS SEC becomes more widely adopted.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to Christoph Mitasch

Hallo Christoph and welcome to the UTM Community!

See #2 in Rulz (last updated 2019-04-17) - please also check the Firewall log.

There is a DNSSEC setting in WebAdmin, but if I understand your configurations, you shouldn't need to use it.

In any case, you might want to read and consider DNS best practice.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Christoph Mitasch over 4 years ago in reply to BAlfson

Hello,

thanks for your hints.

We ended up to disabling DNSSEC validation again on Windows Server 2012.

I've installed another Windows Server 2016 for testing purposes only.
It worked with that behind the same firewall.

So I guess there is problem with Windows Server 2012 and not the firewall.

Thank you,
Christoph
Cancel
Vote Up 0 Vote Down

Cancel