This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS queries for any .tk domain are blocked by IPS.

I need to allow DNS lookups for a particular .tk domain.

I read this old thread but "Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection" doesn't work. The DNS lookup traffic is still blocked.

I'm in the same situation as the OP of that thread. I have a Windows DNS server for the LAN which then does forward lookups on the UTM. Unfortunately, the only thing that I can get to work is to create an IPS exception that skips IPS on all DNS lookups but that seems way overkill:

EXCEPTION:

...

Skip IPS

Coming from internal Windows DNS server

Using DNS

Going to UTM

...

That thread is six years old so I'm assuming something has changed in the way ATP exceptions are handled or maybe that functionality is broken now.

Has anyone come up with a better way to allow DNS lookups of a particular .tk domain?



This thread was automatically locked due to age.
Parents Reply Children
  • Thanks but this won't work because the DNS lookup, from the internal DNS server, is still blocked by the Sophos IPS because the lookup is for the .tk TLD.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • What is the domain in question?

  • This should work:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks again Philipp but that does not work either. This is a tricky situation because Sophos IPS blocks the forward DNS lookup coming from the Windows DNS server, on the internal LAN, before your exception example would have any impact. Maybe I'm not explaining the situation clearly. This old thread may be easier to understand.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • This is a real domain: www[.]dot[.]tk

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • I tried opening www.dot.tk, resolved and opened just fine here.

  • I tried visiting www[.]dot[.]tk. It resolved and opened without any issues here.

    I'm using utm as the dns server which resolves local requests and forwards unknowns to 1.1.1.1.

  • I'm using utm as the dns server

    Thanks Jay. Your setup is different than mine. The DNS queries from my Windows DNS server are being blocked by Sophos  IPS. DNS queries for .tk TLD are supposed to be blocked by Sophos IPS, by design. I'm just trying to come up with a way to "whitelist" a particular .tk domain rather than disabling all IPS for all DNS queries coming from my internal DNS server which is the only thing that works, so far. There still doesn't appear to be a way to do what I want. In that old thread, Bob had suggested adding an Advanced Threat exception but that seems to have had zero impact on my system.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Yes, but your Windows DNS has to query from somewhere - and that would be through the UTM, so an exception for the .tk should work that jp put above.  You could also modify that IPS exception with that second part in his screenshot, the pulldown menu that shows "going to these destinations" and modify that "coming from these networks", then including your LAN and/or External connections.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Forgive me if I'm just not understanding the suggestions each of you has made. I'm sorry but I don't know how to better explain this. The traffic (DNS query) TO the UTM is being blocked before we even need to be concerned about the suggested exceptions that allow traffic THROUGH the UTM.

    The exception I listed (text) in my OP works. Here is a screen cap of it:

    The problem with the exception above is that it exempts ALL DNS queries (coming from my internal DNS server) from IPS protection.

    Neither of the two exceptions below work because traffic is blocked by IPS BEFORE either one would "kick in":

    ------------------------------------------------------------------------------------------------

    As you can see, I do have a DNS host definition for www[.]dot[.]tk.

    As a reminder, if any of you are actually testing these exceptions on your own network, don't forget to clear the IP address from the DNS host definition, clear the DNS query cache on the local/internal DNS server, PC and Sophos UTM else you may think an exception works when it really doesn't.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------