Snapchat - Host Not Found

Question

Am puzzled but this Sophos UTM error.  Was hoping someone might be able to assist.

I can access Snapchat from my iPhone via LTE cellular without issue.  However I'm unable to access from my iPhone via wi-fi when attempting to connect from behind my Sophos UTM with HTTPS Decrypt & Scan enabled.

Even when I create a web filtering exception for Snapchat, I still receiving this error repeatedly.  Seems to be trying to access a www.feelinsonice.com URL that it cannot resolve?  It keeps returning a BLOCK and "Host Not Found":

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.43" dstip="" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2623" request="0xdef78000" url="www.feelinsonice.com/" referer="" error="Host not found" authtime="0" dnstime="226" cattime="0" avscantime="0" fullreqtime="231808" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="74.6.34.30" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="186" request="0xdeeb3800" url="data.flurry.com/" referer="" error="" authtime="0" dnstime="34189" cattime="0" avscantime="0" fullreqtime="138177" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="74.125.30.141" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3849" request="0xe0086800" url="sc-analytics.appspot.com/" referer="" error="" authtime="0" dnstime="334" cattime="0" avscantime="0" fullreqtime="139336" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:30 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="17.167.194.205" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4981" request="0xbf95000" url="gsp10-ssl.apple.com/" referer="" error="" authtime="0" dnstime="115864" cattime="0" avscantime="0" fullreqtime="363084" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension"

This thread was automatically locked due to age.

MartijnTigchelaar · Answer

It looks like the issue is caused by two things: 
 1) There is no DNS entry for "www.feelinsonice.com" 2) The "Pharming protection" feature of the web filtering proxy is broken... 
 Here is how I worked around these problems: 
 1) Create a static DNS entry for "www.feelinsonice.com" pointing to IP address "74.6.34.30' 2) In the Sophos UTM web management GUI go to "Web Protection" -> "Filtering Options" -> "Misc" tab. Scroll down to the bottom and deselect / disable "Enable Pharming protection"...

RobertAdelman · Answer

So far the only way to get snap chat to work is to got Webprotection then to Filtering options then to Misc and scroll to the bottom and uncheck Pharming Protection. No exceptions or settings seem to work.

ken.wi · Answer

Solution suggested by MartijnTigchelaar did not work for me. I am still on v. 9.309 and I did not find a Pharming option. Here is what I did to fix this: 
 
 Go to Web Protection, Filtering Options, New Exception List... Created a new Exception called SnapChat, Skipped these checks: Antivirus, Extension blocking, MIME type blocking, URL Filter, Content Removal, matching these URLs: ^https?://([A-Za-z0-9.-]*\.)?feelinsonice\.com/ 
 I'm not sure exactly which options being skipped fixed this issue so the list I chose to skip is probably overkill, but it worked. The options being skipped could probably be reduced if someone wanted to take the time to test.

Michael Dunn · Answer

I have confirmed this in SFOS and 99% sure it is the same in UTM. 
 In this case: client makes a tcp connection to 146.148.72.110:443 the connection has SNI of www.feelinsonice.com Because pharming protection is on, UTM does not trust that www.feelinsonice.com is really 146.148.72.110 UTM does dns lookup for www.feelinsonice.com DNS lookup fails UTM cannot connect to the far server because it is unresolvable UTM does SSL handshake with client using its own CA to present error message. There are two workarounds: Workaround 1: turn off pharming protection Workaround 2: Go to Network Definitions and add a Host object, making sure to fill in the ipv4 address and the DNS settings for Hostname. 146.148.72.110 www.feelinsonice.com Note: For all I know snapchat has its own weird way of choosing where to connect to. I know that in one instance 146.148.72.110 was the destination. A "more correct" solution would be to tcpdump or turn on additional logging so that you can determine what ip your snapchat is connecting to, in case there are regional differences.