This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS queries for any .tk domain are blocked by IPS.

I need to allow DNS lookups for a particular .tk domain.

I read this old thread but "Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection" doesn't work. The DNS lookup traffic is still blocked.

I'm in the same situation as the OP of that thread. I have a Windows DNS server for the LAN which then does forward lookups on the UTM. Unfortunately, the only thing that I can get to work is to create an IPS exception that skips IPS on all DNS lookups but that seems way overkill:

EXCEPTION:

...

Skip IPS

Coming from internal Windows DNS server

Using DNS

Going to UTM

...

That thread is six years old so I'm assuming something has changed in the way ATP exceptions are handled or maybe that functionality is broken now.

Has anyone come up with a better way to allow DNS lookups of a particular .tk domain?



This thread was automatically locked due to age.
  • Strange, resolves fine here.  Could it be an isp limitation not allowing yours to resolve?

    Same for the second one

  • Just thought I'd post the latest workaround that I came up with.

    I ran the following command on the Windows server that needs name resolution for the [.]tk domain:

    Add-DnsClientNrptRule -Namespace "www[.]dot[.]tk" -NameServers "9.9.9.9"

    For reference: https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=win10-ps

    What this does is tells the Windows server to use the 9.9.9.9 public DNS server for that particular [.]tk domain and only for that domain.

    Then I created the following IPS exclusion in Sophos UTM:

    This IPS exception is still necessary to allow the lookup.

    This is as granular of a solution that I could come up with. The UTM still blocks all other traffic, including DNS look ups, for [.]tk domains. It only lets through the DNS lookup from that particular server, going to 9.9.9.9.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Thank you for posting this.  In case anyone isn't familiar, Quad9 is a Swiss based host like 1.1.1.1 and Google DNS, it's just another avenue. 

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Jeff, glad you got it solved.

    So the short of it is, you need to do this nonsense because utm won't directly allow an exception to the domain in question?

  • Exactly.

    Unless I'm missing something, the only options available, from a Sophos UTM point of view, are that I either add an IPS exception that bypass IPS for all DNS queries coming from my Windows DNS server or I disable the Snort rule (which I did not try) which detects all [.]tk related traffic.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------