This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 DHCP with DNS Availability List

Hello, 

I am fairly new in the UTM game.
I have set up an old appliance (which was a leftover in my company) with a home license. I am happy with my work until now - almost everything works as I was hoping.

The only thing which I just can't wrap my head around:

DHCP-Server + DNS Forwarders. My UTM refuses to use the DNS in the Forwarders-list. I sense I misconfigured something somewhere.

I wanted: UTM as DHCP, pi-hole as DNS, if pi-hole failes, fallback on UTM as DNS+DHCP (Fritzbox is the modem and the UTM is set uo as exposed host)

My DHCP is configured as followed (works fine - but not as intented):

But - of course - doesn't work when the pi-hole fails/is turned off.

This is the Forwarders config:

any recommendations where I need adjust things? Or am I just stupid?

Config:
Fritzbox: 192.168.169.1
UTM: 192.168.0.1
PiHole: 192.168.0.254

...and sadly yes - I have read:
https://community.sophos.com/utm-firewall/f/recommended-reads/122972/dns-best-practice 

Thanks for your time and suggestions.

Sorry, if my english is not understandable - not a native speaker - if Bob answers, I am happy to go on in german ;)

greetings, 

Matthias



This thread was automatically locked due to age.
Parents
  • Hello Matthias,

    so your pi-hole is sitting at 192.168.0.254?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • yes sir - will edit this in my initiating post.

  • Hello Matthias,

    ok, then why do you expect the client to contact another DNS-Server, if you communicate only one server IP in your DHCP-configuration?

    The client will contact 192.168.0.254 and will keep contacting this one.

    My solution to this would be to have a second DNS server entry pointing to the Sophos gateway and then have the UTM to do the decision which DNS to contact instead, if the pi-hole fails.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp,

    with my (wrong) config I am not expecting any other contact than to the pihole. 

    I tried your solution - oddly it doesnt work. The UTM as secondary DNS is not resolving any names/URLs to clients when the pihole is down.

    Perhaps this should be the question:
    That is actually my question: how am I using DNS forwarders with a configured DHCP?

    I seem to be missing anything... 

    Thanks

    Matthias

  • Hello Matthias,

    give us a screenshot of your "DNS forwarders" settings (edit window of the UTM GUI)

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp,

    right here (pi-hole available):

    If I turn off the pi-hole:

    so the switching actually works...

    Do I need a special (Network-/Service-)Definition for this to work?

    When I use Support>Tools>DNS Lookup it works, when the pihole is unavailable:

    "Trying "sophos.com"
    
    ;; Truncated, retrying in TCP mode.
    
    Trying "sophos.com"
    
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10466
    
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 40, AUTHORITY: 0, ADDITIONAL: 0
    
    
    ;; QUESTION SECTION:
    
    ;sophos.com.			IN	ANY
    Received 2604 bytes from 127.0.0.1#53 in 0 ms"


    I am lost...
  • Hello Matthias,

    I believe you, that your DNS is working ON THE UTM. But that's not the point of view of the clients: you offer your DHCP-clients the IP address of the pi-hole only. They don't know about any other way to resolve DNS-requests.

    So you have two ways to go: either you change that first DNS-Server address in your DHCP configuration to the IP of the Sophos UTM (I think this is 192.168.0.1) or you use my suggestion from above (second DNS entry ...)

    With the second method you need to remove the pi-hole from the DNS availibilty group, because this makes no sense, then.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello Matthias,

    I believe you, that your DNS is working ON THE UTM. But that's not the point of view of the clients: you offer your DHCP-clients the IP address of the pi-hole only. They don't know about any other way to resolve DNS-requests.

    So you have two ways to go: either you change that first DNS-Server address in your DHCP configuration to the IP of the Sophos UTM (I think this is 192.168.0.1) or you use my suggestion from above (second DNS entry ...)

    With the second method you need to remove the pi-hole from the DNS availibilty group, because this makes no sense, then.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children