This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade from 9.3x to 9.401-11: 1) Application Control does not work anymore. 2) Web Protection breaks DNS lookups

After upgrading to 9.401-11 we received a DMCA Notice.

"No way" I thought because there's an Application Control rule that we had working for years that disallows Bittorrent.

I go and investigate/test and find that bittorrent works perfectly despite Network Visibility and Application Control being turned on and a "block and log" rule for bittorrent and Gnutella that worked fine for years I can initiate and download/seed bittorrents.

Is Application Control broken in 9.4 or have they changed the way it needs to be set up ? I did not see anything pertinent in known issues list.

Second issue is that we have Web Protection in transparent mode, http only and since 9.4 it breaks browsing. Interestingly it breaks DNS lookups. Any attempts to browse with transparent Web Protection enabled will bring up the block page saying "DNS Resolution Timeout".

The log shows

2016:04:17-21:53:17 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 6fdd (www.cnn.com) timed out, retransmitting (retry 1)"

2016:04:17-21:53:17 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query c6d0 (media-cache-ak0.pinimg.com) timed out, retransmitting (retry 2)"

2016:04:17-21:53:22 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 9de3 (media-cache-ec0.pinimg.com) timed out, retransmitting (retry 1)"

2016:04:17-21:53:22 guests httpproxy[19017]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 6fdd (www.cnn.com) timed out, retransmitting (retry 2)"

Disabling web protection immediately fixes the DNS issues. I do not understand the connection. Before 9.4 there was no connection between Web Protection and DNS resolution.

My clients are setup to use OpenDNS and on UTM I have OpenDNS set up as forwarders as well so UTM can resolve DNS, too. I have tested this in Support -> Tools -> DNS lookup.

This thread was automatically locked due to age.

0 BAlfson over 7 years ago in reply to BJohnson

Brian, do you still have a sample line from the Firewall log file?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 rsenio over 7 years ago in reply to BAlfson

DNS drops were also reported here

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/84469/dns-packets-dropped

I commented I was having similar issues. What has fixed it for me was re-doing the settings. I've removed the internal DNS servers from the "Allowed Networks" DNS and applied the setting. I then re-added them again, and applied. I also did the same for the firewall rule I had created. It hasn't failed in weeks
Cancel
Vote Up 0 Vote Down

Cancel
0 BJohnson over 7 years ago in reply to BAlfson

Bob,

Unfortunately not, they were too large so I deleted them.

Looking at the post under mine and the thread it links to, I don't know that I ever "cleanly" recreated the forwarders and allowed networks, although I definitely deleted and re-entered the config at some point. And even though I entered the networks in the "Allowed" window, I also explicitly permitted access to the DNS servers via a firewall rule. At the time my primary DNS was from my ISP with a Level 3 server as backup.

Thanks,

Brian
Cancel
Vote Up 0 Vote Down

Cancel