Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 7 subscribers
  • Views 26437 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS queries for any .tk domain are blocked by IPS.

Jeff x

I need to allow DNS lookups for a particular .tk domain.

I read this old thread but "Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection" doesn't work. The DNS lookup traffic is still blocked.

I'm in the same situation as the OP of that thread. I have a Windows DNS server for the LAN which then does forward lookups on the UTM. Unfortunately, the only thing that I can get to work is to create an IPS exception that skips IPS on all DNS lookups but that seems way overkill:

EXCEPTION:

...

Skip IPS

Coming from internal Windows DNS server

Using DNS

Going to UTM

...

That thread is six years old so I'm assuming something has changed in the way ATP exceptions are handled or maybe that functionality is broken now.

Has anyone come up with a better way to allow DNS lookups of a particular .tk domain?



This thread was automatically locked due to age.
Parents
  • 0

    Just thought I'd post the latest workaround that I came up with.

    I ran the following command on the Windows server that needs name resolution for the [.]tk domain:

    Add-DnsClientNrptRule -Namespace "www[.]dot[.]tk" -NameServers "9.9.9.9"

    For reference: https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=win10-ps

    What this does is tells the Windows server to use the 9.9.9.9 public DNS server for that particular [.]tk domain and only for that domain.

    Then I created the following IPS exclusion in Sophos UTM:

    This IPS exception is still necessary to allow the lookup.

    This is as granular of a solution that I could come up with. The UTM still blocks all other traffic, including DNS look ups, for [.]tk domains. It only lets through the DNS lookup from that particular server, going to 9.9.9.9.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    Jeff, glad you got it solved.

    So the short of it is, you need to do this nonsense because utm won't directly allow an exception to the domain in question?

  • 0 in reply to Jay Jay

    Exactly.

    Unless I'm missing something, the only options available, from a Sophos UTM point of view, are that I either add an IPS exception that bypass IPS for all DNS queries coming from my Windows DNS server or I disable the Snort rule (which I did not try) which detects all [.]tk related traffic.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Reply
  • 0 in reply to Jay Jay

    Exactly.

    Unless I'm missing something, the only options available, from a Sophos UTM point of view, are that I either add an IPS exception that bypass IPS for all DNS queries coming from my Windows DNS server or I disable the Snort rule (which I did not try) which detects all [.]tk related traffic.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Children
No Data
Unfiltered HTML