This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to Add DNS Host to Allowed Networks for Filtering

Hello,

 

I am trying to use site path routing under web application firewall and use a "DNS Host" entry in the allowed networks list however its not working.  

If I have the dns host entry myhost.duckdns.org it resolves the IP correctly (172.X.X.X) when I hover over it. but when I try to access the site I get this in the log:

2018:02:11-01:18:20 sophos httpd[11890]: [authz_host:error] [pid 11890:tid 4005301104] [client 172.X.X.X:38181] AH01753: access check of 'myhost.duckdns.org' to /favicon.ico failed, reason: unable to get the remote host name, referer: https://sub.mysite.com/
2018:02:11-01:18:20 sophos httpd[11890]: [authz_core:error] [pid 11890:tid 4005301104] [client 172.X.X.X:38181] AH01630: client denied by server configuration: proxy:balancer://0e9f56dedc1c6a43ee0c263a6d1b336b/favicon.ico, referer: https://sub.mysite.com/
2018:02:11-01:18:20 sophos httpd: id="0299" srcip="172.X.X.X" localip="my public ip address" size="220" user="-" host="172.X.X.X" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="407" url="/favicon.ico" server="sub.mysite.com" port="443" query="" referer="https://sub.mysite.com/" cookie="-" set-cookie="-" uid="WoAKXKDSF5y5D4BBABz"
 
 
If I manually put the ip address itself in allowed networks it allows me through fine to my intended site.  What can I do to get the dns host working?  I am unable to use access control by IP since this is for a mobile device and the IP changes often so I was planning to use duckdns to update the IP so Sophos can constantly pick up the change.    


This thread was automatically locked due to age.
Parents
  • Hi folks!

     

    I can confirm this with version 9.508.

     

    Setting access control in Site Path Routing from Any to specific DNS hosts follwing message appears in the log: AH01630: client denied by server configuration .

    Disabling access control or set allowed networks back to any evertything works fine. And yes, current IP-adress of the device connecting to the WAF matches to the DNS record.

     

    It's a guess, but maybe the WAF does a reverse lookup? And if there is no match access is blocked?

     

    My scenario: Mobile phone with dyndns client. Should connect to my on premise MDM solution. DNS object with its DynDNS A-Record created (as I said IP matches). In the log there is not only the IP adress logged but also a DNS name. This DNS name is from my telephone company, so WAF does a reverse Lookup. RDNS doesn't match configured DNS host -> block? Then it would be nice if this could be disabled. Or it is bug, which wouldn't be surprising either.

  • Yes, WAF is doing a reverse lookup for DNS host objects. From the online help:

    Note – When a DNS host object is configured for access control, for every HTTP request a DNS reverse lookup is made for the client IP address. If the DNS reverse lookup succeeds, the resulting hostname is compared to the hostname of the configured DNS host object and a decision can be made whether the HTTP request is allowed or denied for that DNS host object.

  • Oh my... looked into the online help and overseen it. Thanks for clarification. So it's completely hopeless to get an disable option for this :(

Reply Children
No Data