DNS Issues after upgrading to 12.5.9 Update 1

We have an M200 currently running Fireware 12.1.B548280.

Last Friday I upgraded to Fireware 12.5.9 Update 1. The upgrade went well. Once the process was completed the box rebooted and all seemed normal until I started getting calls from users not being able to access the internet. When I received the call I was outside the office, I opened my laptop and I was able to connect to SSL VPN. I noticed that quite a few users were also connected to SSL VPN and had access to internal resources. We have our own exchange server, email worked perfectly fine. When I returned to the office that afternoon I noticed that our IP based phone system was working. I went around the office testing computers to browse various sites and all I got was "resolving host" message until the browser times out and get "page cannot get displayed". I tested more than 20 different sites from different computers, same issue in all of them.
I looked at all my policies and all looked just fine. Finally Sunday afternoon I decided to downgrade to previous fireware, the issue went away immediately.

My instinct tells me this is a DNS issue. I keep reading the release notes on Fireware 12.5.9 Update but nothing points me in the right direction.

Thanks,

Comments

  • What are you using for your external DNS server?

    Turn on Logging on your DNS policy to see allowed DNS packets in Traffic Monitor.

    Consider opening a support incident on this.

  • edited February 7

    We have Active Directory Domain, my primary and secondary DNS servers are set to resolve Open DNS.

    Do I have to setup DNS in the newest fireware?

  • No packets are allowed across a routed firewall interface without a policy allowing it.
    So you do need some policy allowing DNS.
    If you have DNSWatch enabled, then there is a hidden policy which allows DNS.
    But, with DNSWatch enabled, no DNS policies in your config are used - DNSWatch handles them first.

    So, if you want to see DNS packets in Traffic Monitor, at least for debugging, then you can't have DNSWatch active

  • I currently have 2 DNS Policies, DNS and DNS-proxy. See attached. But I do not have DNS Watch enabled.

  • The DNS proxy has priority as it is 1st in your policy list, so it will be used.

    Turn on Logging on it so that you can see what is being allowed, denied and any possible strips.

    Also note that DNS requests can now go over HTTPS - DoH.
    It is the default in Chrome.

  • I'm going to enable logging on DNS-Proxy and upgrade backup to Fireware 12.5.9 Update 1 to see what's being DENIED, as nothing is being allowed once I'm back on 12.5.9. I do not have DNSWatch Enabled but thinking of enabling it moving forward.

    Had to downgrade because we can't be without internet for extended amount of hours.

  • In reality I may not need the DNS policy - 2nd one on the list. Just DNS-Proxy.

  • As it stands, the 2nd one will not be used.
    However, if needed, you could disable the DNS proxy at some point, and then the DNS filter policy would be used.
    Up to you - keep it or not.

  • edited February 7

    Bruce need your opinion on the following rule I saw in another post.
    How about a packet filter policy to DENY DNS from any trusted. Then create another rule from ANY trusted to only allow my DNS Server outside DNS Servers since we are in an Active Directory environment?

  • like this ?

  • That will work.
    I have something similar in my config.
    You certainly will find out what devices are trying to access the not expected DNS servers.
    Again, this will not address DoH DNS access over HTTPS.

Sign In to comment.