This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS queries for any .tk domain are blocked by IPS.

I need to allow DNS lookups for a particular .tk domain.

I read this old thread but "Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection" doesn't work. The DNS lookup traffic is still blocked.

I'm in the same situation as the OP of that thread. I have a Windows DNS server for the LAN which then does forward lookups on the UTM. Unfortunately, the only thing that I can get to work is to create an IPS exception that skips IPS on all DNS lookups but that seems way overkill:

EXCEPTION:

...

Skip IPS

Coming from internal Windows DNS server

Using DNS

Going to UTM

...

That thread is six years old so I'm assuming something has changed in the way ATP exceptions are handled or maybe that functionality is broken now.

Has anyone come up with a better way to allow DNS lookups of a particular .tk domain?



This thread was automatically locked due to age.
Parents
  • Hello Jeff,

    if this is only one domainname, why not just add this domain to your internal DNS server?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the suggestion but the IP address of that domain changes.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Reply
  • Thanks for the suggestion but the IP address of that domain changes.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Children
  • If it's just a single domain, create a DNS host.

    It will then resolve that object periodically, catching any changes.

  • Thanks but this won't work because the DNS lookup, from the internal DNS server, is still blocked by the Sophos IPS because the lookup is for the .tk TLD.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • What is the domain in question?

  • This should work:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks again Philipp but that does not work either. This is a tricky situation because Sophos IPS blocks the forward DNS lookup coming from the Windows DNS server, on the internal LAN, before your exception example would have any impact. Maybe I'm not explaining the situation clearly. This old thread may be easier to understand.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • This is a real domain: www[.]dot[.]tk

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • I tried opening www.dot.tk, resolved and opened just fine here.

  • I tried visiting www[.]dot[.]tk. It resolved and opened without any issues here.

    I'm using utm as the dns server which resolves local requests and forwards unknowns to 1.1.1.1.

  • I'm using utm as the dns server

    Thanks Jay. Your setup is different than mine. The DNS queries from my Windows DNS server are being blocked by Sophos  IPS. DNS queries for .tk TLD are supposed to be blocked by Sophos IPS, by design. I'm just trying to come up with a way to "whitelist" a particular .tk domain rather than disabling all IPS for all DNS queries coming from my internal DNS server which is the only thing that works, so far. There still doesn't appear to be a way to do what I want. In that old thread, Bob had suggested adding an Advanced Threat exception but that seems to have had zero impact on my system.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Yes, but your Windows DNS has to query from somewhere - and that would be through the UTM, so an exception for the .tk should work that jp put above.  You could also modify that IPS exception with that second part in his screenshot, the pulldown menu that shows "going to these destinations" and modify that "coming from these networks", then including your LAN and/or External connections.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)