This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Host Definitions not updating

Hello Community,

we do have 2 Domain Controllers with Sophos UTM Cluster.

The Domain Controllers handle DNS Services and are used by the UTM to work with DNS Hosts.

We do work with DNS Host Definitions and i recently moved a Host from one VLAN to another, therefore the IP address has changed.

After a reboot of the corresponding machine the DNS Record has been successfully updated on the Domain Controllers and i verified that the new entry has its 15Min TTL Property.

I waited the whole night but the Firewall was still resolving the Host with its old IP, i had to manually clear the resolver cache for the UTM to Update the Record.

Shouldn´t this be some sort of automatic process, am i missing something ?
Thanks



This thread was automatically locked due to age.
  • Is your UTM set up so that it's just a forwarder, so any requests passthrough to the DNS server?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hello Amodin,

    The client get the DCs as their primary and secondary DNS, the domain Controllers point to the UTM as their Resolver and the UTM is using DNS Servers provided by our local ISP. There is a request route in place for domain.local pointing to our domain controllers.
    Everything seems to work fine but the DNS Host entries on the utm stay as they are despite being changed manually or due to automatic dns updates on Domain Server level. I have to flush the cache for the entries to get renewed

  • Hmm sounds like the old DNS bug around ... I wanna say version 7.9 - 8.0?  I can't say for certain on that, but I think the difference here is that you can resolve once you flush the cache, whereas the older bug wouldn't update after a flush.

    Is your internal DNS Hosts on the UTM set up with reverse DNS and using the in-addr.irpa addressing? Is there anything in your logs, or have you tried to access the 'lost' clients via IP?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hallo,

    What was the TTL on the original entry in the domain server?  If that hadn't been reached yet, the UTM would have no idea of the new values.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Amodin, the reverse DNS Lookup has not been setup, i can connect the lost clients via IP without any issues.
    i found out that some entries are static and some are dynamic, and that there is no vanishing enabled i think i will dig deeper and setup some test hosts to play around with, Thanks!

  • Hello Bob, i do not know how to verify this as i deleted the old records manually but as i told Amodin already there is a mixture of static and dynamic dns entries and there is no scavenging in place at all, can this be the issue? i will setup some records to test the behaviour before moving to the productive systems

  • I didn't see anything about your DNS scavenging not in place.  How is it then you get rid of old records?  Manually delete them from DNS?

    Because that is literally the purpose of DNS scavenging - get rid of stale records.

    If the UTM is forwarding requests to your DNS servers and no scavenging is taking place, the aged/stale records will remain because the UTM is just sending that request onto the recordkeeper.  So you get stuck with GIGO.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)