Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 7 subscribers
  • Views 15876 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade from 9.3x to 9.401-11: 1) Application Control does not work anymore. 2) Web Protection breaks DNS lookups

benzene

After upgrading to 9.401-11 we received a DMCA Notice.

"No way" I thought because there's an Application Control rule that we had working for years that disallows Bittorrent.

I go and investigate/test and find that bittorrent works perfectly despite Network Visibility and Application Control being turned on and a "block and log" rule for bittorrent and Gnutella that worked fine for years I can initiate and download/seed bittorrents.

Is Application Control broken in 9.4 or have they changed the way it needs to be set up ? I did not see anything pertinent in known issues list.

Second issue is that we have Web Protection in transparent mode, http only and since 9.4 it breaks browsing. Interestingly it breaks DNS lookups. Any attempts to browse with transparent Web Protection enabled will bring up the block page saying "DNS Resolution Timeout".

The log shows

2016:04:17-21:53:17 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 6fdd (www.cnn.com) timed out, retransmitting (retry 1)"
2016:04:17-21:53:17 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query c6d0 (media-cache-ak0.pinimg.com) timed out, retransmitting (retry 2)"
2016:04:17-21:53:22 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 9de3 (media-cache-ec0.pinimg.com) timed out, retransmitting (retry 1)"
2016:04:17-21:53:22 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 6fdd (www.cnn.com) timed out, retransmitting (retry 2)"

Disabling web protection immediately fixes the DNS issues. I do not understand the connection. Before 9.4 there was no connection between Web Protection and DNS resolution.
My clients are setup to use OpenDNS and on UTM I have OpenDNS set up as forwarders as well so UTM can resolve DNS, too. I have tested this in Support -> Tools -> DNS lookup.


This thread was automatically locked due to age.
Parents
  • 0

    I toggled Application Control on and off after editing my rules (just changed the names) and now it works again so it seems Application Control rules were somehow broken and in the back-end did not reflect what was shown in the GUI. Now Bittorrent is correctly being denied.

    That just leaves the weird DNS Timeout issue with Web Protection. Has anyone come across this ?

  • 0 in reply to benzene

    I too am seeing the DNS timeouts, but not 100% sure what the cause is.

    There are issues with MAC OS X and WiFi, so haven't been able to trace if it's the Mac that's at fault, PCs seem to handle DNS timeouts differently and rather cache the failure, they will try again when next requested.

    I've also gone IPv6, and it was about the same time that I started getting DNS issues - but turning of IPv6 didn't make a difference - there have been too many changes on my network to confirm for sure what's causing it.

    I'm just running a NameBench against the UTM - should be able to give me an insight to the DNS issue.

    What's your set-up, and is it every machine on the network that's having problems?

    EDIT:

    One thing I have noticed, disabling pharming protection in the web-filter seems to help a little, as does the DNSSEC verification.

    Tim Grantham

    Enterprise Architect & Business owner

Reply
  • 0 in reply to benzene

    I too am seeing the DNS timeouts, but not 100% sure what the cause is.

    There are issues with MAC OS X and WiFi, so haven't been able to trace if it's the Mac that's at fault, PCs seem to handle DNS timeouts differently and rather cache the failure, they will try again when next requested.

    I've also gone IPv6, and it was about the same time that I started getting DNS issues - but turning of IPv6 didn't make a difference - there have been too many changes on my network to confirm for sure what's causing it.

    I'm just running a NameBench against the UTM - should be able to give me an insight to the DNS issue.

    What's your set-up, and is it every machine on the network that's having problems?

    EDIT:

    One thing I have noticed, disabling pharming protection in the web-filter seems to help a little, as does the DNSSEC verification.

    Tim Grantham

    Enterprise Architect & Business owner

Children
No Data
Unfiltered HTML