WebProtection can't resolve hostnames without domain suffix

Question

It seems that it's not possible to use WebProtection at all if I need http access to hosts on local or tunneled networks. 
 For example on Windows workstations there is a advanced DNS tab where I can put in a list with additional domain suffixes so every DNS request is being suffixed with those domains until a matching host is found. 
 Now when I use WebProtection in "Transparent mode" and try to access host-xyz without a domain suffix I get an error message from the sophos firewall. 
 Now my questions: 
 1. Is there a way to add multiple domain suffixes for the WebProtection proxy? 
 2. Since those hosts are trustful web-servers it would be also ok to create a Exception in Filtering Options to skip protection when accessing hostnames without domain suffixes. How I could create such a exception?

sachingurung · Answer

Hi Chris, 
 Use request routing when you want the UTM to route the DNS queries to an internal DNS server and when you do not want to set up your own DNS server but need a static DNS mapping for a few hosts of your network, you can enter these mappings. 
 Now, as per the Windows guide, you can use the advanced DNS settings only if you are not using Obtain DNS server address automatically on the General tab. I think the windows KBA here will also be handy for this purpose. 
 What confuses me here is that which hosts are you trying to access without DNS suffix; external or internal. Alongside, when you do a DNS query does that query reach on UTM, show us the http.log and packetfilter.log for the source IP address. 
 Finally, if you want the requests to be handled by the UTM as per my first para, make sure the windows system have their Primary DNS set to internal address of the UTM. 
 Thanks

sachingurung · Answer

Hi Chris, 
 Taking your concept into consideration, 'if someone needs to resolve for example "hostxyz" the local DNS on the client adds all domain suffixes in order to this hostname and creates an FQDN'. As per the posted log lines, it seems that the UTM is receiving only "url=" http://intranet/ " and not an FQDN. Verify that on the local end. 
 Out of the box, what happens when define the action as allow for uncategorized website category in the filter action. As we can see a block due to "reputation="unverified" categoryname="Uncategorized"." 
 Hope that helps.