This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access random websites. DNS questions.

I'm having some strange DNS behavior. My config: I have a HyperV Host  with two NICS running a DNS server and Sophos Firewall. 1 NIC is connected to the modem, and the other is connected to an asus router. I'm using Sophos as the DHCP server, and I have everything on the intranet using the local DNS server. I have DNS Forwarders in Sophos pointing to the OpenDNS IPs. I'm having two problems. 1. when I go to welcome.opendns.com it says I'm not using the OpenDNS IPs. 2. Random websites are failing to load with a ERROR_CONNECTION_REST or ERROR_CONNECTION_ABORTED. I've tried connecting a router to the modem directly and I don't have any issues getting to the same websites that fail when i go through the firewall. So, I don't think it's the modem/ISP. Googling the errors everything tells me that it's DNS related, but I have no idea why. I've made a rule on firewall to open all ports to my laptop, so I don't know what else could be blocking.  Anyone have any ideas why i only have issues reaching some sites when going through the firewall?



This thread was automatically locked due to age.
Parents
  • Hi,

    Which website fail to load and what does the http.log reflect? Please post the logs here.

    Try the DNS best practice guide by Bob here.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • imgur.com, reddit.com, and marvel.wikia.com are three i've run into. Sometimes the pages will load without any of the graphics/formatting, but a refresh will usually make it fail outright with the connection reset/aborted message. I've modified my settings to meet all the Best Practices except step 3, but I'm still running into the same issue.

     

    I'm not sure where the http.log file is. Can you point me in the right direction to find it? 

     

    Thanks,

    Juan

  • 2016:10:03-01:35:18 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"
    2016:10:03-01:35:19 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="432" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:10:03-01:35:19 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3762" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:10:03-01:35:19 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="643" message="reloading config done, new version 258"
    2016:10:03-01:35:31 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="saviscanner_log" file="saviscanner.c" line="360" message="Reloading SAVI threat data"
    2016:10:03-01:35:40 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="saviscanner_log" file="saviscanner.c" line="360" message="Reloading SAVI threat data finished, engine 3.65.2, threat data 5.30 from 9/8/2016 (11789428 detected threats)"
    2016:10:03-01:40:24 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="142" message="reloading ATP pattern"
    2016:10:03-01:40:24 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="160" message="reloading ATP pattern finished"
    2016:10:03-13:21:18 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"
    2016:10:03-13:21:18 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="432" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:10:03-13:21:18 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3762" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:10:03-13:21:19 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="643" message="reloading config done, new version 316"
    2016:10:03-13:21:25 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"
    2016:10:03-13:21:25 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="432" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:10:03-13:21:25 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3762" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:10:03-13:21:26 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="643" message="reloading config done, new version 317"
    2016:10:03-13:21:33 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"
    2016:10:03-13:21:33 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="432" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:10:03-13:21:33 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3762" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:10:03-13:21:33 www URID[5266]: T=5266 ------ 1 - [exit] SIGTERM: exiting
    2016:10:03-13:21:33 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="643" message="reloading config done, new version 318"
    2016:10:03-13:21:39 www URID[10050]: T=10050 ------ 1 - [exit] SIGTERM: exiting
    2016:10:03-13:21:39 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"
    2016:10:03-13:21:39 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="432" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:10:03-13:21:39 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3762" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:10:03-13:21:48 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scanner_init" file="saviscanner.c" line="381" message="Successfully loaded SAVI threat data, engine 3.65.2, threat data 5.30 from 9/8/2016 (11789428 detected threats)"
    2016:10:03-13:21:48 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="643" message="reloading config done, new version 319"
    2016:10:03-13:26:25 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="142" message="reloading ATP pattern"
    2016:10:03-13:26:26 www httpproxy[5536]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="160" message="reloading ATP pattern finished"

    I found the log. I don't see anything in the file that references the websites I'm having trouble with though. 

  • Hi,

    Check #1 in the brilliant guide by Bob here. Do you capture anything now? 

    What is the operation mode of Web Filtering? If it is configured to work in transparent mode then define the website in skip transparent host destination box found in Filter option> Misc.

    Any help with that?

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Juan, your Web Filtering log looks like Web Filtering isn't configured or that you have turned logging off.  Apropos, should one of the mods move this thread to the Network Protection or Web Filtering forum?  Be sure to follow the link in Sachin's post above this one.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've reviewed the rules, and appreciate all the advice. I've tried to remove as many factors from Sophos as possible by turning off a lot. The more I try messing with settings the more I'm thinking this is something to do with my ISP. I've tried turning off Intrusion Prevention, Advanced Threat Protection, Web Filtering, Application Control, and making an "Any" Firewall Rule for the web server I'm testing on. Still fails. Then I did an ipconfig /flushdns and restarted google chrome. Still fails. Then I turn Advanced Threat Prot , Web Filtering, and Intrusion Prev on, and remove the Firewall rule. 5-10 minutes later it starts letting me get to the sites (I've been using marvel.wikia.com and imgur as my tests). Sometimes one works and the the other doesn't, sometimes they both work. Eventually they both stop working all together. The lack of consistency is infuriating. Is there something I'm missing? Should turning the protections/filtering on and off apply immediately?

    Some more info on my setup. The only NAT rule is the Masquerading Rule for Internal -> External and a DNAT rule for Plex. All the Web Protection options are the defaults. Assuming Web Filtering is on(which it is when i'm not troubleshooting things), it's set to Transparent Mode with External (WAN) as the Allowed Network. 

    I can't think of anything in a routing config that would cause inconsistent results like this. I don't think i have anything particularly complicated about my setup. I had this same setup at my previous house and I wasn't having these problems. The only difference is I was on Charter Business and now I'm on standard Charter (so different modem). Charter doesn't allow consumer access to their modems, so I have to call in to make changes. I hadn't really thought about this until I started typing it out, but there is a chance that is my problem. 

     

  • Hi,

    Go to Web protection> Filtering option> Misc> Enable pharming, uncheck this option and save it. Any help?

    Even after disabling all the filters and updating the DNS setting if you still face such intermittent behavior then I thin you must get the ISP inline. To make sure you can deploy another ISP or 3g USB dongle  and remove the existing one for testing. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi jadec,

    Ah, you're with charter which is a known bad egg to cause a bug that was entered in 9.404 that screws with the MTU and causes all manner of problems.

    Go to Interfaces & Routing > Interfaces and look at the WAN interfaces details, is the MTU >1300 or is it low like 576?

    Emile

  • It's exactly 576. No idea if it was different at any other time. Is there something i can do to change it? 

  • Hi Jadec,

    576 is way below the recommed minimum of around 1350 and will cause severe disruption to your services.

    To resolve this, please take a read through these two articles:

    There are resolutions to it but it requires you to go to shell to override a bug that has been entered into the way DHCP is being handled with interfaces.

    Hope that helps and am looking forward to your reply!

    Emile

  • That was it! I manually changed the MTU to be 1500 (matched Internal) after modifying default.conf. I made a back up of the original .conf file in case a fix is officially released and I need to revert my change. All sites appear to be working now. Hopefully this gets patched for Charter customers soon. Thank you everyone for the help figuring this out!

  • Hi Jadec,

    That's fantastic and I'm glad you managed to get it resolved.

    It has hit quite a few people and it's definitely on Sophos' radar to resolve so hopefully in an incoming release it will be fixed!

    Emile

Reply Children
No Data