This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mysterious root DNS zone queries (. IN NS) generated by UTM 9 ?

I am using OpenDNS and notice that the #1 domain queried is "."

Seems odd to me because root hints are pretty much static entries, why keep sending queries for the root?

I configured my UTM 9 to forward all queries to a local BIND9 server and am logging queries, here is what I see:

20-Sep-2016 11:00:24.731 client UTM9#43333 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:00:26.477 client UTM9#15247 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:00:34.626 client UTM9#59661 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:00:38.745 client UTM9#19793 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:00:39.729 client UTM9#45739 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:00:40.095 client UTM9#60302 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:00:41.294 client UTM9#43772 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:00:56.116 client UTM9#45008 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:01:04.791 client UTM9#18697 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:01:10.473 client UTM9#60193 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:01:18.055 client UTM9#4462 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:01:21.303 client UTM9#34108 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:01:32.644 client UTM9#19358 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:01:40.533 client UTM9#39901 (.): query: . IN NS +ED (InternalDNSServer)
20-Sep-2016 11:01:41.865 client UTM9#11865 (.): query: . IN NS +ED (InternalDNSServer)

These just go on forever. Any ideas?

The UTM9 DNS service is configured to forward queries only. All of my local devices are using the internal DNS server, so there shouldn't be any queries sent to the UTM9.



This thread was automatically locked due to age.
Parents
  • CarlMankinen said:
    I configured my UTM 9 to forward all queries to a local BIND9 server and am logging queries, ....

    The UTM9 DNS service is configured to forward queries only. All of my local devices are using the internal DNS server, so there shouldn't be any queries sent to the UTM9...

    If you look at bind configuration /var/chroot-bind/etc/named.conf on UTM, you will notice the line

    forward first;


    With the default configuration, the UTM WILL SEND QUERIES to root servers after querying the forwarder first. This behavior was changed in v8 sometime and I even tried to tell the developers of the unintended consequences https://community.sophos.com/products/unified-threat-management/astaroorg/f/112/p/71270/276107#276107 

    This is why UTM is sending queries to root servers even though you are using forwarders, plus UTM will do certain lookups when downloading pattern updates or url categorization so the query doesn't have to come from a client every time.

    P.S changing the forward first line to forward only is a losing battle. UTM will change it back with pattern updates etc. I stopped trying to be a responsible admin and gave up on trying to stop UTM from contacting root servers.

Reply
  • CarlMankinen said:
    I configured my UTM 9 to forward all queries to a local BIND9 server and am logging queries, ....

    The UTM9 DNS service is configured to forward queries only. All of my local devices are using the internal DNS server, so there shouldn't be any queries sent to the UTM9...

    If you look at bind configuration /var/chroot-bind/etc/named.conf on UTM, you will notice the line

    forward first;


    With the default configuration, the UTM WILL SEND QUERIES to root servers after querying the forwarder first. This behavior was changed in v8 sometime and I even tried to tell the developers of the unintended consequences https://community.sophos.com/products/unified-threat-management/astaroorg/f/112/p/71270/276107#276107 

    This is why UTM is sending queries to root servers even though you are using forwarders, plus UTM will do certain lookups when downloading pattern updates or url categorization so the query doesn't have to come from a client every time.

    P.S changing the forward first line to forward only is a losing battle. UTM will change it back with pattern updates etc. I stopped trying to be a responsible admin and gave up on trying to stop UTM from contacting root servers.

Children
  • Interesting, I am looking at the named.conf and sure enough it has forward-first and recursion yes.

    I thought maybe I could trick it by added a "." zone and setting it to forward. Bind barfed on the configuration and DNS stopped working until I removed the "." conditional forwarding zone.

    zone "." IN {

    type forward;

    forward only;

    forwarders {

    10.1.1.10;

    };

    check-names ignore;

    };

    I was somewhat surprised the UTM allowed me to create the "." zone which conflicted with the root hint zone definition.

    I added these lines to /etc/init.d/beeps:

    sed -i -- 's/recursion yes/recursion no/g' /var/sec/chroot-bind/etc/named.conf
    sed -i -- 's/forward first/forward only/g' /var/sec/chroot-bind/etc/named.conf

  • Yes, thats why I fell in love with astaro/UTM in the first place, proprietary webadmin interface with open linux system underneath that they intentionally left open for you to tinker with [:O][:D] The beeps init is called when utm is started/restarted to make the beeping sound after all the other daemons have already been started. i usually add everything I want to call at startup in that script instead of other init scripts to keep all my changes in one place. Plus they usually don't update that script regularly so your changes will generally be safe.

     By adding the above lines to /etc/init.d/beeps, the configuration would be regenerated after a reboot (atleast it used to when I was changing things manually). However if you manually restart the daemon by flushing the dns cache etc, the conf file maybe regenerated. Restarting/ reloading bind will probably revert your configuration changes and to fix that you will have to do some editing of the startup script itself

    edit /var/mdw/scripts/named

    Since you seem to be comfortable with command line tinkering, I will let you experiment with the scripts yourself. Keep in mind though that if you have any support contract, it maybe void by making any changes. And any such changes may not survive a firmware update.

    Good luck[:D]

    P.S. You can also tinker with /var/sec/chroot-bind/etc/named.conf-default but as you probably noticed by the standard disclaimer on top #  AUTOMATICALLY GENERATED, USELESS EDITING, the bind conf files are not static and the configuration is generated automatically by the conf daemon [:'(]

  • Yeah, I searched for something that others were using to place these sort of hacks to have them persist as long as possible.

    Seems the beeps script was a good/common choice.

    Thanks for the response! And yeah, this isn't my first rodeo... I also love the UTM9! I tried the XG, but really had a hard time getting the functionality I have presently with the UTM9 version. I tried Astaro a very long time ago and decided to stay with my PIX/ASA firewalls, but the Astaro/Sophos UTM has improved massively! Pixies are gathering dust...

    They really need to fix this DNS behavior though. Because I have internal DNS servers that are performing various levels of security on DNS queries, anything that UTM9 sees with a NXDOMAIN, it switches to recursion and when GUI appears to show a "forward only" configuration. WTF!