DNS queries for any .tk domain are blocked by IPS.

Hello Jeff,

if this is only one domainname, why not just add this domain to your internal DNS server?

Thanks for the suggestion but the IP address of that domain changes.

If it's just a single domain, create a DNS host.

It will then resolve that object periodically, catching any changes.

If it's just a single domain, create a DNS host.

It will then resolve that object periodically, catching any changes.

Thanks but this won't work because the DNS lookup, from the internal DNS server, is still blocked by the Sophos IPS because the lookup is for the .tk TLD.

What is the domain in question?

This should work:

Thanks again Philipp but that does not work either. This is a tricky situation because Sophos IPS blocks the forward DNS lookup coming from the Windows DNS server, on the internal LAN, before your exception example would have any impact. Maybe I'm not explaining the situation clearly. This old thread may be easier to understand.

This is a real domain: www[.]dot[.]tk

I tried opening www.dot.tk, resolved and opened just fine here.

I tried visiting www[.]dot[.]tk. It resolved and opened without any issues here.

I'm using utm as the dns server which resolves local requests and forwards unknowns to 1.1.1.1.

Jay Jay said:

I'm using utm as the dns server

Thanks Jay. Your setup is different than mine. The DNS queries from my Windows DNS server are being blocked by Sophos  IPS. DNS queries for .tk TLD are supposed to be blocked by Sophos IPS, by design. I'm just trying to come up with a way to "whitelist" a particular .tk domain rather than disabling all IPS for all DNS queries coming from my internal DNS server which is the only thing that works, so far. There still doesn't appear to be a way to do what I want. In that old thread, Bob had suggested adding an Advanced Threat exception but that seems to have had zero impact on my system.

Yes, but your Windows DNS has to query from somewhere - and that would be through the UTM, so an exception for the .tk should work that jp put above.  You could also modify that IPS exception with that second part in his screenshot, the pulldown menu that shows "going to these destinations" and modify that "coming from these networks", then including your LAN and/or External connections.

Forgive me if I'm just not understanding the suggestions each of you has made. I'm sorry but I don't know how to better explain this. The traffic (DNS query) TO the UTM is being blocked before we even need to be concerned about the suggested exceptions that allow traffic THROUGH the UTM.

The exception I listed (text) in my OP works. Here is a screen cap of it:

The problem with the exception above is that it exempts ALL DNS queries (coming from my internal DNS server) from IPS protection.

Neither of the two exceptions below work because traffic is blocked by IPS BEFORE either one would "kick in":

------------------------------------------------------------------------------------------------

As you can see, I do have a DNS host definition for www[.]dot[.]tk.

As a reminder, if any of you are actually testing these exceptions on your own network, don't forget to clear the IP address from the DNS host definition, clear the DNS query cache on the local/internal DNS server, PC and Sophos UTM else you may think an exception works when it really doesn't.