This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snapchat - Host Not Found

Am puzzled but this Sophos UTM error.  Was hoping someone might be able to assist.

I can access Snapchat from my iPhone via LTE cellular without issue.  However I'm unable to access from my iPhone via wi-fi when attempting to connect from behind my Sophos UTM with HTTPS Decrypt & Scan enabled.

Even when I create a web filtering exception for Snapchat, I still receiving this error repeatedly.  Seems to be trying to access a www.feelinsonice.com URL that it cannot resolve?  It keeps returning a BLOCK and "Host Not Found":

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.43" dstip="" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2623" request="0xdef78000" url="www.feelinsonice.com/" referer="" error="Host not found" authtime="0" dnstime="226" cattime="0" avscantime="0" fullreqtime="231808" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="74.6.34.30" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="186" request="0xdeeb3800" url="data.flurry.com/" referer="" error="" authtime="0" dnstime="34189" cattime="0" avscantime="0" fullreqtime="138177" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="74.125.30.141" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3849" request="0xe0086800" url="sc-analytics.appspot.com/" referer="" error="" authtime="0" dnstime="334" cattime="0" avscantime="0" fullreqtime="139336" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:30 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="17.167.194.205" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4981" request="0xbf95000" url="gsp10-ssl.apple.com/" referer="" error="" authtime="0" dnstime="115864" cattime="0" avscantime="0" fullreqtime="363084" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension"


This thread was automatically locked due to age.
Parents
  • It looks like the issue is caused by two things:

    1) There is no DNS entry for "www.feelinsonice.com"
    2) The "Pharming protection" feature of the web filtering proxy is broken...

    Here is how I worked around these problems:

    1) Create a static DNS entry for "www.feelinsonice.com" pointing to IP address "74.6.34.30'
    2) In the Sophos UTM web management GUI go to "Web Protection" -> "Filtering Options" -> "Misc" tab. Scroll down to the bottom and deselect / disable "Enable Pharming protection"...

Reply
  • It looks like the issue is caused by two things:

    1) There is no DNS entry for "www.feelinsonice.com"
    2) The "Pharming protection" feature of the web filtering proxy is broken...

    Here is how I worked around these problems:

    1) Create a static DNS entry for "www.feelinsonice.com" pointing to IP address "74.6.34.30'
    2) In the Sophos UTM web management GUI go to "Web Protection" -> "Filtering Options" -> "Misc" tab. Scroll down to the bottom and deselect / disable "Enable Pharming protection"...

Children
  • Having the same issue on firmware 9.404-5.

    MartijnTigchelaar's suggestion has worked for me, but clearly something wrong with the Pharming Protection feature.

  • This worked for me as well but there must be a better solution than disabling Pharming Protection

  • "Pharming Protection" is simply broken. It still is in v9.407-3. It ignores the static DNS entries you create - which defeats the whole purpose of the static DNS entries...

  • I got the same problem and this works for me.

    Adding exeption for ^https?://([A-Za-z0-9.-]*\.)?feelinsonice\.com/ does not work

    Is there a way to use an exeption rule that works?

  • So far the only way to get snap chat to work is to got Webprotection then to Filtering options then to Misc and scroll to the bottom and uncheck Pharming Protection.  No exceptions or settings seem to work.

  • RobertAdelman said:

    So far the only way to get snap chat to work is to got Webprotection then to Filtering options then to Misc and scroll to the bottom and uncheck Pharming Protection.  No exceptions or settings seem to work.

    I was able to work around this in UTM 9 without disabling Pharming Protection.  Am still a bit unclear what exactly worked.

  • I have confirmed this in SFOS and 99% sure it is the same in UTM.

    In this case:
    client makes a tcp connection to 146.148.72.110:443
    the connection has SNI of www.feelinsonice.com
    Because pharming protection is on, UTM does not trust that www.feelinsonice.com is really 146.148.72.110
    UTM does dns lookup for www.feelinsonice.com
    DNS lookup fails
    UTM cannot connect to the far server because it is unresolvable
    UTM does SSL handshake with client using its own CA to present error message.

    There are two workarounds:

    Workaround 1: turn off pharming protection

    Workaround 2: Go to Network Definitions and add a Host object, making sure to fill in the ipv4 address and the DNS settings for Hostname.
    146.148.72.110 www.feelinsonice.com

    Note: For all I know snapchat has its own weird way of choosing where to connect to.  I know that in one instance 146.148.72.110 was the destination.  A "more correct" solution would be to tcpdump or turn on additional logging so that you can determine what ip your snapchat is connecting to, in case there are regional differences.

  • Thanks Michael Dunn for this insight.  This made me think of a similar issue I was having and couldn't find a fix (ended up disabling HTTPS scanning altogether).  Not ideal.

    With some mobile apps, I can filter in Livelog the traffic to and from a specific IP within web filtering.  However there have been cases where a mobile app, for example American Express Serve app, is unable to login to a user account with filtering enabled.  When I view the web filtering log for anomalies and blocked pages, there are none.  It's as if the web filtering log isn't complete or detailed enough for me to identify urls/pages for which I need to add other exceptions.

    Is there additional web filtering that can be enabled?

  • There is additional logging that dev or support can turn on, however at this time I don't know if that is public information.  It opens up another can of worms, and the developer level logging may lead you down wrong paths of understanding.

    However what you can do is use WireShark or Fiddler to watch all your traffic.  WireShark is a tcpdump so you can see all HTTP, DNS, and other traffic leaving your client machine, however inspecting HTTPS is a pain.  Fiddler is a windows on-box proxy that lets you monitor all HTTP and HTTPS traffic, but it makes the traffic standard mode and not transparent mode.

    For mobile apps, run tcpdump on the box then copy it to Windows and read the logs in WireShark.

  • Michael Dunn said:

    For mobile apps, run tcpdump on the box then copy it to Windows and read the logs in WireShark.

    Appreciate the recommendation.  Does tcpdump show the traffic in numeric IP addresses (1.2.3.4) or does it resolve it to FQDNs (server.microsoft.com)?  I'll give it a try!