This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KISS (Stupid, Simple) DNS Configuration, DNS Issues, and Possible DNS Bug on UTM

I have a basic DNS setup for a home UTM configuration. The UTM is the only DNS server and also the DHCP server. All internal devices have DNS configured with the UTM LAN address as their DNS server. DHCP is also configured to provide the UTM's LAN address as the DNS server in the UTM DNS Forwarders tab, I have configured a list of four individual public DNS servers with low ping times. I have also tried the "Use forwarders assigned by ISP" setting. It works, in general, whether "use ISP forwarders" is enabled or disabled, but:

1. It fails sometimes. I think that the UTM may be accepting the first response it receives and ignoring anything else. The problem with that is if the first response is "not found" then any response from other public DNS servers (forwarders) with the correct IP address are ignored. Is that right?

2. The Support -> Tools -> DNS Lookup tool is using a deprecated query, which gets an error response from some DNS servers. Here is an example. I replaced the actual host and domain name with "host.example.com":

Trying "host.example.com"

( ... )

;; QUESTION SECTION:

;host.example.com. IN ANY

;; ANSWER SECTION:

host.example.com. 3789 IN HINFO "RFC8482" ""

... and the DNS lookup fails - no host IP address returned.

- - - -

That seems to be a bug in the UTM DNS Lookup tool - it should not be issuing DNS queries with "ANY". I wonder whether the UTM does that with its own forwarded DNS requests, too? 

-> What am I missing in my DNS configuration so that it works reliably? 



This thread was automatically locked due to age.
Parents
  • Hello ,
    Thank you for reaching out to the community, please find the best practices for DNS config on UTM 9: https://community.sophos.com/utm-firewall/f/recommended-reads/115526/sophos-utm-dns-best-practice

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi Vivek and thank you for responding. Unfortunately, your response does not answer my questions.

    I looked at the DNS Best Practices thread before posting this thread here. To the best of my knowledge, my DNS configuration is a simpler version of what is being suggested there.

    In any event, it does not answer my questions:

    1. How does the UTM send DNS requests to the list of forwarders? All at once like most systems?

    2. How does the UTM handle returned responses from the forwarders? Does it accept the first response no matter what, even if it is "no response"? Will it reject a valid answer with an IP address if it has already received a "no response" from another forwarder?

    3. Why does the DNS Lookup tool in Support -> Tools use the deprecated "ANY" in its DNS queries, which is rejected with "RFC8482" responses by some DNS servers? Is it a bug?

    4. Does the UTM itself use "ANY" in its DNS queries? Could that be the cause of my DNS issues?

  • Hello ,

    1. How does the UTM send DNS requests to the list of forwarders? All at once like most systems?

    A DNS forwarder server will forward DNS queries for external DNS names to DNS servers outside of that network. It could be preferably one provided by your Internet provider or Global DNS server like 8.8.8.8.

    2. How does the UTM handle returned responses from the forwarders? Does it accept the first response no matter what, even if it is "no response"? Will it reject a valid answer with an IP address if it has already received a "no response" from another forwarder?

    >  It will be used as a "parent" cache. This will speed up DNS requests considerably. If you do not specify a forwarding name server, the root DNS servers will be queried for zone information first, taking a longer time to complete requests.

    3.)  Why does the DNS Lookup tool in Support -> Tools use the deprecated "ANY" in its DNS queries, which is rejected with "RFC8482" responses by some DNS servers? Is it a bug?

    > It is queried from the WAN zone

    4. Does the UTM itself use "ANY" in its DNS queries? Could that be the cause of my DNS issues?

    > Nope, this introduces a serious security risk and opens your appliance up to abuse from the Internet.

    ===============================================================================================

    Furthermore you can enable DNSSEC validation.
    Note: Not all DNS forwarders are DNSSEC capable. Enabling DNSSEC with such forwarders may result in broken DNS resolution.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello ,

    1. How does the UTM send DNS requests to the list of forwarders? All at once like most systems?

    A DNS forwarder server will forward DNS queries for external DNS names to DNS servers outside of that network. It could be preferably one provided by your Internet provider or Global DNS server like 8.8.8.8.

    2. How does the UTM handle returned responses from the forwarders? Does it accept the first response no matter what, even if it is "no response"? Will it reject a valid answer with an IP address if it has already received a "no response" from another forwarder?

    >  It will be used as a "parent" cache. This will speed up DNS requests considerably. If you do not specify a forwarding name server, the root DNS servers will be queried for zone information first, taking a longer time to complete requests.

    3.)  Why does the DNS Lookup tool in Support -> Tools use the deprecated "ANY" in its DNS queries, which is rejected with "RFC8482" responses by some DNS servers? Is it a bug?

    > It is queried from the WAN zone

    4. Does the UTM itself use "ANY" in its DNS queries? Could that be the cause of my DNS issues?

    > Nope, this introduces a serious security risk and opens your appliance up to abuse from the Internet.

    ===============================================================================================

    Furthermore you can enable DNSSEC validation.
    Note: Not all DNS forwarders are DNSSEC capable. Enabling DNSSEC with such forwarders may result in broken DNS resolution.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Children
No Data