This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Sophos UTM 9 Firewall or IDS blocking EDNS0 queries (UDP packets that are larger than 512 byte)?

Hello,

our clients are using the integrated DNS server from Windows Server 2012.
Both the clients and the Windows servers are behind the Sophos UTM 9 firewall.

A few days ago we have enabled DNSSec validation for remote queries on the Windows servers. Since then some websites (like gmx.net, web.de) stopped working because of failed DNS resolution. It is toggeling between working and not working.

I've found the following support article from Microsoft:
https://support.microsoft.com/en-us/help/832223/some-dns-name-queries-are-unsuccessful-after-you-deploy-a-windows-base

Would it be possible that Sophos UTM firewall or IDS is blocking EDNS0 queries somehow?

Thank you,
Christoph



This thread was automatically locked due to age.
Parents
  • Hi,

    i don't know such behaviour.
    But first i would check IPS and DNS Log Files. Blockings should be reported there.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello Dirk,

    thanks for your reply. I've checked die IPS and "DNS Proxy" log, but nothing suspicious there.
    Since we are using the Windows servers for DNS resolution, the DNS Log should not be relevant I guess?

    Thanks,
    Christoph

  • Hallo Christoph and welcome to the UTM Community!

    See #2 in Rulz (last updated 2019-04-17) - please also check the Firewall log.

    There is a DNSSEC setting in WebAdmin, but if I understand your configurations, you shouldn't need to use it.

    In any case, you might want to read and consider DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

    thanks for your hints.

    We ended up to disabling DNSSEC validation again on Windows Server 2012.

    I've installed another Windows Server 2016 for testing purposes only.
    It worked with that behind the same firewall.

    So I guess there is problem with Windows Server 2012 and not the firewall.

    Thank you,
    Christoph

Reply
  • Hello,

    thanks for your hints.

    We ended up to disabling DNSSEC validation again on Windows Server 2012.

    I've installed another Windows Server 2016 for testing purposes only.
    It worked with that behind the same firewall.

    So I guess there is problem with Windows Server 2012 and not the firewall.

    Thank you,
    Christoph

Children
No Data