This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS not forwarding

Hi all,

 

I am learning myself to work with a Sophos and have a UTM 220 @ home atm. I re-imaged it and configured it.

The wan and lan are working fine, when I hit the internet on the laptop i cannot find the dns. I manually have to add the DNS (8.8.8.8 and 8.8.4.4) in the ip4v configuration.

So I followed these settings Best practice, when i delete the DNS setting on the laptop I cannot reach the internet anymore.

Not sure what the next step is?

The modem/router settings are okay

 

 

With kind regards,

 

Denny



This thread was automatically locked due to age.
Parents
  • Hi Denny,

    in the UTM go to support > tools > DNS Lookup and enter something in there eg google.com

    That will tell us if you actually have DNS resolving on the UTM.

    If you get a reply and it can resolve the above, the next step is to see where you are getting your DHCP lease from and whether it is setting the UTM or another address for DNS servers on your client. You can do this by running an ipconfig /all and seeing what the dns servers are set at.

    If they are pointing to the UTM, you must add your subnet that the clients are on to the UTM DNS proxy under Network services > DNS > allowed networks.

    If you have them as google dns servers or others, you will need to allow dns through the firewall.

    Please post a little more of your info up here so we know.

  • Hi Louis,

    First of all thanks for your reply!

     

    I will follow your steps this evening, but I will tell you a little more details about my network.

     

    First of all I have my Modem/router with the IP 192.168.2.254 (with DHCP on)

    Than comes the Sonos UTM 220 (the WAN has the IP 192.168.2.20 (from DHCP) and gateway is the IP from the modem/router)

    The sophos internal port has the IP 192.168.0.1 /4

    The laptop has the IP 192.168.0.10 /24 (gateway 192.1680.1) the laptop is wired with the internal sophos port.

     

    edit:

    So I turned on the UTM220 and went to support > tools > DNS typed in google.com and that worked.

    On the client I did not filled in any DNS @ the ip4 configuration, so when i do ipconfig /all there is no DNS servers information.

     

    I looked everything up on my Router, I added 8.8.8.8 as primary DNS nothing changed.

    Any chance its because of the DHCP?

    Edit 2:

    It does work when I activate DHCP on the UTM220.

    Now I am wondering why it does not work without the DHCP?

  • ok....

    firstly you would not be able to resolve anything on you client if there are no dns servers specified. You mentioned that you did this staticly ie you put an ip address, subnet and gateway into your client manually but did not enter any dns server details. In the above instance, you would probably find that you can ping 8.8.8.8 but not google.com as the client could not resolve.

    When you activate DHCP on the UTM, you will find that it will give you those dns server details etc. You can verify this by doing an ipconfig /all on your client and you will see the dns servers listed that the UTM has supplied. I would leave it at that so that all your clients are dynamic and get the correct details and dns etc from the UTM

    If you do set your client manually ie with a static ip/subnet & gateway, you will have to specify your dns servers eg for google's it's 8.8.8.8 & 8.8.4.4

    However, you will have to ensure that there is a firewall rule on the UTM that allows local subnet > DNS > Internet (or 8.8.8.8 & 8.8.4.4 in the above example)

    You can check if DNS is being blocked on the UTM by going to the firewall and clicking on "live log" and looking for a port udp/53 eg 8.8.8.8:53. if it's being blocked, it will show in red and will come under the default drop rule.

Reply
  • ok....

    firstly you would not be able to resolve anything on you client if there are no dns servers specified. You mentioned that you did this staticly ie you put an ip address, subnet and gateway into your client manually but did not enter any dns server details. In the above instance, you would probably find that you can ping 8.8.8.8 but not google.com as the client could not resolve.

    When you activate DHCP on the UTM, you will find that it will give you those dns server details etc. You can verify this by doing an ipconfig /all on your client and you will see the dns servers listed that the UTM has supplied. I would leave it at that so that all your clients are dynamic and get the correct details and dns etc from the UTM

    If you do set your client manually ie with a static ip/subnet & gateway, you will have to specify your dns servers eg for google's it's 8.8.8.8 & 8.8.4.4

    However, you will have to ensure that there is a firewall rule on the UTM that allows local subnet > DNS > Internet (or 8.8.8.8 & 8.8.4.4 in the above example)

    You can check if DNS is being blocked on the UTM by going to the firewall and clicking on "live log" and looking for a port udp/53 eg 8.8.8.8:53. if it's being blocked, it will show in red and will come under the default drop rule.

Children
  • Louis,

     

    Thanks again for your extensive explanation.

     

    In my experience, I thought you don't have to give the client a DNS manually when I setup the forwarders and the allowed network.

    I have learned a new thing now, thanks alot for the help.

     

    My next step is to add my Synology NAS to the internal network and try to connect it from outside the whole home network.

  • Glad to help. Your next task isn't too hard. Have a little read on NAT (specifically DNAT in this case) and firewall rules although the UTM can do them automatically for you. If you need any help, just open a seperate thread (with descriptive title) as it helps others in searching who may have the same issue.

  • Glad Louis got you taken care of, Denny.  Instead of the unmaintained KnowledgeBase article that was copied 2+ years ago, I recommend the Community post that I maintain, DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA