This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM9 Firewall appears to be blocking all dot tk DNS lookups from the LAN

Sophos SG135 running UTM9.4

If I do an nslookup of dot.tk using 8.8.8.8 as the server from inside my LAN I get timeouts.  From another workstation that is connected directly to the ISP it works fine.  All other DNS lookups from inside the LAN work fine, it is only .tk domains that timeout. 

Using wireshark I can see the request go out of my workstation, but no response ever comes back.  When looking up other domains I do see the responses coming back.  To be sure, I have tried turning off the workstation's firewall, but it made no difference.

So the only apparent difference between the working workstation and the timing out workstation is the UTM9 firewall.

On the UTM9 I have allowed port 53 from LAN to WAN (and it appears to be working because DNS lookups to all non-.tk domains work fine).  I have country blocking turned off, although that shouldn't matter since the interaction is purely between me and google's 8.8.8.8 DNS server.  I tried allowing all traffic from the LAN out to the WAN just to be sure but it made no difference.

I have looked at the firewall logs but I can't see any blocked packets from 8.8.8.8 or anything port 53 related.

There appears to be a DNS proxy running on the UTM9, although under Network Services->DNS I have tried both with Allowed Networks empty and with "Internal Networks" added, and with the request routing rules turned on and turned off... none of that makes any difference in the behavior.  In the DNS proxy log I don't see anything at all related to my dot.tk queries.

So questions...

1. Has anybody seen this, or have any idea what might be blocking the requests?

2. How can I debug this?  Is there any way to have the logs show me specific UDP packets so I can verify the request is making it out and that a response is in fact being received?  It's a Sophos SG135 and I have to this point done everything using WebAdmin, and have not tried to log in directly to a shell on the device.

Thanks for any help that anyone can offer.  If there are any logs or settings that I can post that would help please let me know.  I should note that folks want to access wiki.tcl.tk which I think is a legitimate use, and if they use the IP address directly they can access the pages just fine- it is only the DNS lookup that is broken.

 

 

 



This thread was automatically locked due to age.
Parents
  • UPDATE:
    I found the culprit: Intrusion Prevention System (IPS).  Somehow I missed that log file when I was going through all the logs before.  Apparently part of the default ruleset is to block all .tk domain name lookups.  Sorry wiki.tcl.tk, you really shouldn't have used a .tk domain!!!

    I should be able to research this on my own from here, and add an appropriate exception to allow at least wiki.tcl.tk lookups.

    Apologies if I wasted anyone's time...  maybe my post will help someone else that runs into this though.

    Thanks.

  • i had seen some other posts ab out DNS alarms, so your post caught my eye and I tried to see what the options a0re:

    option 1_ Uncheck "Misc servers... DNS" from the attack patterns change.

    But this disables over 1000 different checks, which seems like overkill.

    Option 2:  Create an exception, but the exception features are not very granular either.

    I created an exception for:   SKip = IPS, where service = DNS and Source IP = <all internal private IP addresses>

    That might disable a lot, but at least it does not disable incoming attacks.

Reply
  • i had seen some other posts ab out DNS alarms, so your post caught my eye and I tried to see what the options a0re:

    option 1_ Uncheck "Misc servers... DNS" from the attack patterns change.

    But this disables over 1000 different checks, which seems like overkill.

    Option 2:  Create an exception, but the exception features are not very granular either.

    I created an exception for:   SKip = IPS, where service = DNS and Source IP = <all internal private IP addresses>

    That might disable a lot, but at least it does not disable incoming attacks.

Children
  • DouglasFoster,

    After some playing around I also settled on "option 2" (exception to skip IPS for DNS from internal network).  I agree it is not as granular as I'd like, but at least the LAN users aren't left scratching their heads when names don't resolve properly.

    I tried using the rule ID from the logs to disable the specific rule in the Advanced->Manual Rule Modification box, but it did not work.  Maybe the ID in the log is not the same as the "rule ID", I don't know.  This would almost be too specific though, as I don't know what other domains are blocked by IPS rules that I may want to allow...