Sophos SG135 running UTM9.4
If I do an nslookup of dot.tk using 8.8.8.8 as the server from inside my LAN I get timeouts. From another workstation that is connected directly to the ISP it works fine. All other DNS lookups from inside the LAN work fine, it is only .tk domains that timeout.
Using wireshark I can see the request go out of my workstation, but no response ever comes back. When looking up other domains I do see the responses coming back. To be sure, I have tried turning off the workstation's firewall, but it made no difference.
So the only apparent difference between the working workstation and the timing out workstation is the UTM9 firewall.
On the UTM9 I have allowed port 53 from LAN to WAN (and it appears to be working because DNS lookups to all non-.tk domains work fine). I have country blocking turned off, although that shouldn't matter since the interaction is purely between me and google's 8.8.8.8 DNS server. I tried allowing all traffic from the LAN out to the WAN just to be sure but it made no difference.
I have looked at the firewall logs but I can't see any blocked packets from 8.8.8.8 or anything port 53 related.
There appears to be a DNS proxy running on the UTM9, although under Network Services->DNS I have tried both with Allowed Networks empty and with "Internal Networks" added, and with the request routing rules turned on and turned off... none of that makes any difference in the behavior. In the DNS proxy log I don't see anything at all related to my dot.tk queries.
So questions...
1. Has anybody seen this, or have any idea what might be blocking the requests?
2. How can I debug this? Is there any way to have the logs show me specific UDP packets so I can verify the request is making it out and that a response is in fact being received? It's a Sophos SG135 and I have to this point done everything using WebAdmin, and have not tried to log in directly to a shell on the device.
Thanks for any help that anyone can offer. If there are any logs or settings that I can post that would help please let me know. I should note that folks want to access wiki.tcl.tk which I think is a legitimate use, and if they use the IP address directly they can access the pages just fine- it is only the DNS lookup that is broken.
This thread was automatically locked due to age.