Copyright © 2024 Sophos Ltd

Troubleshooting
Sophos DNS Protection

Sophos DNS Protection

Version: 1.0v1

[Additional Information]

Sophos DNS Protection

DNS2005: Troubleshooting Sophos DNS Protection

May 2024
Version: 1.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Troubleshooting Sophos DNS Protection- 1

Copyright © 2024 Sophos Ltd

Troubleshooting Sophos DNS Protection

In this chapter you will learn how to RECOMMENDED KNOWLEDGE AND EXPERIENCE
troubleshoot common issues with Sophos
DNS Protection. ✓ Have experience configuring and managing
networks
✓ Know how to configure Sophos DNS Protection

DURATION 15 minutes

In this chapter you will learn how to troubleshoot common issues with Sophos DNS Protection.

Troubleshooting Sophos DNS Protection- 2

Copyright © 2024 Sophos Ltd

Scenario 1: DNS Protection Policy

Is Not Being Applied

Troubleshooting Sophos DNS Protection- 3

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 1

In this scenario, DNS is working, so DNS requests are being resolved, but the policy is not being
applied. Here you can see Facebook being accessed when the policy would block it.

Troubleshooting Sophos DNS Protection- 4

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

If you look in Sophos DNS Protection you can see that no data has been received from the location,
which means it is not using Sophos DNS Protection.

Troubleshooting Sophos DNS Protection- 5

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

You can test whether Sophos DNS Protection is being used by trying to navigate to
[Link] in your browser. Here you can see that a DNS error is returned by the browser.

You can also use the Resolve-DnsName PowerShell command to try and lookup the IP address of
[Link]. Here you can see a failed lookup as no IP address is being returned.

Troubleshooting Sophos DNS Protection- 6

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

In most networks you will have an internal DNS server that responds to DNS requests for local
resources and forwards all other requests to an external DNS server, usually your ISP.

The DNS forwarders need to have the IP addresses of the Sophos DNS Protection servers. These can
be found in the Installers section of Sophos DNS Protection.

Sophos DNS Protection uses [Link] and [Link] for its DNS service globally.

Troubleshooting Sophos DNS Protection- 7

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 3

With the correct DNS servers being used you will be able to resolve and access
[Link]. Here you can see the webpage has loaded and the Resolve-DnsName
PowerShell command has returned an IP address.

Troubleshooting Sophos DNS Protection- 8

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied

Not using Sophos DNS Protection

Using Sophos DNS Protection

On Windows there are two main commands for checking DNS name resolution. In this scenario we
have been using the PowerShell command Resolve-DnsName because it uses the system DNS client
and gives the same result you would expect an application or browser to get.

Here you can see side-by-side the result you will get when using and not using Sophos DNS Protection.

Troubleshooting Sophos DNS Protection- 9

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied

Not using Sophos DNS Protection

Using Google DNS

Using Sophos DNS Protection

The other commonly used command on Windows is nslookup, and this will work. It is worth noting
that because it does not use the system’s DNS client you may not necessarily get the same response
from running nslookup as a regular system application would.

Troubleshooting Sophos DNS Protection- 10

Copyright © 2024 Sophos Ltd

Scenario 2: DNS Protection Policy

Is Not Being Applied

Troubleshooting Sophos DNS Protection- 11

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 1

In this scenario we have the same symptoms as before; DNS is working, so DNS requests are being
resolved, but the policy is not being applied. Here you can see Facebook being accessed when the
policy would block it.

Troubleshooting Sophos DNS Protection- 12

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

If you look in Sophos DNS Protection you can see that no data has been received from the location,
which means it is not using Sophos DNS Protection.

Troubleshooting Sophos DNS Protection- 13

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

Checking whether you can reach [Link] or resolve it will fail.

Troubleshooting Sophos DNS Protection- 14

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

In this example, if you check the DNS forwarders, they are using Sophos DNS Protection. This would
suggest that the DNS request is being redirected and sent to a different DNS server than the ones
configured.

Troubleshooting Sophos DNS Protection- 15

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

DNS Redirection / DNS Hijacking

Sophos DNS Protection

DNS Request

Firewall/Router/Gateway

Alternate DNS Server

What is DNS redirection? Also known as DNS hijacking, DNS redirection is where DNS requests are
transparently intercepted and redirected to another DNS server.

Troubleshooting Sophos DNS Protection- 16

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

DNS Redirection / DNS Hijacking

Government for censorship ISPs for statistics and ads

IT for security Malicious actors

There are several scenarios where DNS redirection may take place.
• Some governments use DNS redirection for censorship, redirecting users to government authorized
sites.
• Many ISPs use DNS redirection to collect statistics and return ads when an unknown domain is
accessed. This is more common on domestic connections than business connections.
• IT teams may configure DNS redirection on firewalls, gateways or routers to enforce known good
DNS servers to improve security.
• Malicious actors use DNS redirection so that they can redirect traffic to malicious sites and phishing
sites, and to display unwanted ads to generate revenue.

Troubleshooting Sophos DNS Protection- 17

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 2

DNS Redirection / DNS Hijacking

Check whether your firewalls, gateways, or routers have been configured to

redirect DNS requests

Contact your ISP and check if they are redirecting DNS requests

Check for the presence of malicious software that could be intercepting DNS
requests

If your DNS requests are being redirected, you should:

• Check whether your firewalls, gateways, or routers have been configured to redirect DNS requests.
• Contact your ISP and check if they are redirecting DNS requests.
• Check for the presence of malicious software that could be intercepting DNS requests.

Troubleshooting Sophos DNS Protection- 18

Copyright © 2024 Sophos Ltd

DNS Protection Policy Is Not Being Applied 3

With the correct DNS servers being used you will be able to resolve and access
[Link]. Here you can see the webpage has loaded and the Resolve-DnsName
PowerShell command has returned an IP address.

Troubleshooting Sophos DNS Protection- 19

Copyright © 2024 Sophos Ltd

Scenario 3: Error When Accessing

Websites

Troubleshooting Sophos DNS Protection- 20

Copyright © 2024 Sophos Ltd

Error When Accessing Websites 1

In this scenario, when you try to access a website, you get an error in the browser. Here you can see
that while trying to access Facebook the browser displays the error ERR_CERT_AUTHORITY_INVALID.

Troubleshooting Sophos DNS Protection- 21

Copyright © 2024 Sophos Ltd

Error When Accessing Websites 2

As the error indicates a certificate issue, you should check that the Sophos DNS Protection certificate
is installed in the ‘Trusted Root Certification Authorities’. Here we can see it is missing.

Troubleshooting Sophos DNS Protection- 22

Copyright © 2024 Sophos Ltd

Error When Accessing Websites 2

The Sophos DNS Protection certificate can be downloaded from the Installers section.

The certificate needs to be installed on all devices as a trusted root certificate authority. This will
usually be deployed using Active Directory Group Policy or another management tool.

Troubleshooting Sophos DNS Protection- 23

Copyright © 2024 Sophos Ltd

Error When Accessing Websites 2

Here you can see the Sophos DNS Protection root certificate authority is now installed.

Troubleshooting Sophos DNS Protection- 24

Copyright © 2024 Sophos Ltd

Error When Accessing Websites 3

You will no longer get an error when trying to access the website, you will get a block page. The
certificate is only required to display block pages and is not required for domains that are not blocked.

Troubleshooting Sophos DNS Protection- 25

Copyright © 2024 Sophos Ltd

Block Pages: Security Risk

There are three different block pages that you may be presented by Sophos DNS Protection, which can
be useful in identifying the reason for the block.

In this first example, the block page is for a security risk. This is displayed when a user attempt to
access a domain whose reputation has been rated as malicious by SophosLabs.

Troubleshooting Sophos DNS Protection- 26

Copyright © 2024 Sophos Ltd

Block Pages: Policy Block

This second example is displayed when a domain is blocked due to its category having the ‘Block’
action selected in the Sophos DNS Protection policy. In this example it has been categorized as a social
network.

Troubleshooting Sophos DNS Protection- 27

Copyright © 2024 Sophos Ltd

Block Pages: Domain List

In this third and final example, the block page is displayed when a user tries to access a domain that is
listed in a custom domain list and has the ‘Block’ action selected in the policy.

Troubleshooting Sophos DNS Protection- 28

Copyright © 2024 Sophos Ltd

Scenario 4: Webpages Not Loading

Correctly

Troubleshooting Sophos DNS Protection- 29

Copyright © 2024 Sophos Ltd

Webpages Not Loading Correctly 1

In this scenario some parts of a webpage do not load correctly. In some instances, it may be easy to
see what is happening; for example, here, where we get a block screen when a video tries to load.

Troubleshooting Sophos DNS Protection- 30

Copyright © 2024 Sophos Ltd

Webpages Not Loading Correctly 1

Other times it may be less obvious as it may be that just some elements of a page have not loaded. In
this example the icons for these videos have not loaded with the rest of the page.

Troubleshooting Sophos DNS Protection- 31

Copyright © 2024 Sophos Ltd

Webpages Not Loading Correctly 2

The first thing to do is open the developer tools in the browser, usually by pressing F12, then reload
the page. In the network section of the developer tools, we can see there are several errors in red.

If you select an error, you can see the full request URL and other details.

Troubleshooting Sophos DNS Protection- 32

Copyright © 2024 Sophos Ltd

Webpages Not Loading Correctly 2

If you double-click on the error, it will try to load the resource in a new tab. This will usually then
display a block page. As we saw earlier, there are different block pages depending on the cause of the
block. In this example the domain is on a custom domain list that is being blocked. Alternatively, it
could be that a specific category is being blocked or that it is trying to load something from a malicious
domain.

Troubleshooting Sophos DNS Protection- 33

Copyright © 2024 Sophos Ltd

Webpages Not Loading Correctly 3

Once you correct the policy configuration the page will load correctly.

Troubleshooting Sophos DNS Protection- 34

Copyright © 2024 Sophos Ltd

Scenario 5: Inconsistent Behaviour

Troubleshooting Sophos DNS Protection- 35

Copyright © 2024 Sophos Ltd

Inconsistent Behaviour 1

In this scenario the policy is not being applied consistently. Sometimes a site will load, and other times
it is blocked by the policy.

Troubleshooting Sophos DNS Protection- 36

Copyright © 2024 Sophos Ltd

Inconsistent Behaviour 2

There are two likely causes for this issue.

First, there are multiple DNS forwarders configured. This means that sometimes when the DNS is
resolved the query may go to another DNS server and so the policy will not be applied.

Only Sophos DNS Protection servers should be configured as the DNS forwarders.

Troubleshooting Sophos DNS Protection- 37

Copyright © 2024 Sophos Ltd

Inconsistent Behaviour 2

DNS Request IP Address 1

IP Address 2

Firewall/Router/Gateway Sophos DNS Protection

The second cause is that there are multiple public IP addresses that the DNS query could be coming
from, but they have not all been added to a location. In this example, IP address 1 may have been
added to the location in DNS Protection, but IP address 2 may not have been. If there is any load
balancing of failover of DNS traffic from IP address 1 to IP address 2 then the policy will not be applied
all the time because it is not being applied to IP address 2.

Troubleshooting Sophos DNS Protection- 38

Copyright © 2024 Sophos Ltd

Inconsistent Behaviour 3

When only using the Sophos DNS Protection servers as the DNS forwarders and ensuring that all public
IP addresses have been added to the location, the policy will be applied consistently.

Troubleshooting Sophos DNS Protection- 39

Copyright © 2024 Sophos Ltd

Scenario 6: Miscategorized Domain

Troubleshooting Sophos DNS Protection- 40

Copyright © 2024 Sophos Ltd

Miscategorized Domain 1

If you think that a domain is being blocked incorrectly there are a few steps you can take to resolve the
issue.

Troubleshooting Sophos DNS Protection- 41

Copyright © 2024 Sophos Ltd

Miscategorized Domain 2

[Link]

First, log into the Sophos Intelix website using your Sophos ID and submit the URL for analysis. This will
provide a comprehensive breakdown of the categorization including whether Sophos considers the
domain to be malicious. Note that Sophos will always block access to malicious domains, and this
cannot be overridden.

You can find more information about Sophos Intelix in the knowledgebase article linked in the notes.

[Additional Information]
Sophos Intelix knowledgebase article: [Link]

Troubleshooting Sophos DNS Protection- 42

Copyright © 2024 Sophos Ltd

Miscategorized Domain 2

[Link]

If you think that the domain has been miscategorized you can use the link on the block page to report
the URL for review. You can also do this directly at [Link]/reporturl.

Troubleshooting Sophos DNS Protection- 43

Copyright © 2024 Sophos Ltd

Miscategorized Domain 2

So that you can access the domain while it is being reviewed you can create an allow list and add it to
the policy.

Troubleshooting Sophos DNS Protection- 44

Copyright © 2024 Sophos Ltd

Miscategorized Domain 3

Once you have added the domain to an allow list in the policy or it has been recategorized by Sophos
you will be able to access it.

Troubleshooting Sophos DNS Protection- 45

Copyright © 2024 Sophos Ltd

Scenario 7: IP Address Conflict

Troubleshooting Sophos DNS Protection- 46

Copyright © 2024 Sophos Ltd

IP Address Conflict 1

If two Sophos DNS Protection accounts have the same IP address added, you will start to get alerts.
This should be rare as Sophos Central checks for conflicts when new IP addresses and FQDNs are
added. In the case of a conflict, the first account to have the IP address maintains policy control.

Troubleshooting Sophos DNS Protection- 47

Copyright © 2024 Sophos Ltd

IP Address Conflict 1

As well as seeing alerts in Sophos Central, you will also receive email alerts.

The alert will contain the IP address or FQDN that the conflict has been detected for, and the location
in your account where you have it configured.

Troubleshooting Sophos DNS Protection- 48

Copyright © 2024 Sophos Ltd

IP Address Conflict 2

First check the configuration of the location identified by the alerts.

You need to check that all IP addresses are correct. If you have any FQDNs, you should also check that
these are resolving to the correct IP address.

Troubleshooting Sophos DNS Protection- 49

Copyright © 2024 Sophos Ltd

IP Address Conflict 2

[Link]

If your configuration is correct and it is your IP address you will need to raise a support ticket. Support
can identify and contact the other account that has the IP address configured and assist in resolving
the conflict.

Troubleshooting Sophos DNS Protection- 50

Copyright © 2024 Sophos Ltd

IP Address Conflict 3

Once the conflicting IP address has been removed from the other account you will no longer get
alerts.

Troubleshooting Sophos DNS Protection- 51

Copyright © 2024 Sophos Ltd

IP Address Conflict 3

When you add an FQDN or IP address Sophos Central checks for conflicts. If you see a conflict and this
point and your configuration is correct you will need to raise a ticket with support.

Troubleshooting Sophos DNS Protection- 52

Copyright © 2024 Sophos Ltd

Chapter Review

Sophos DNS Protection uses [Link] and [Link] for its service globally. To ensure consistent
behavior, only use Sophos DNS Protection as your DNS forwarders and ensure all public IP addresses have
been added to your locations. To test DNS Protection, use the FQDN [Link]. In
PowerShell use the command Resolve-DnsName.

If you see errors accessing websites, the Sophos DNS Protection root certificate needs to be installed as a
trusted certificate authority so block pages can be displayed. There are three types of block page
depending on the block reason: security, category (policy), and custom domain list. You cannot override a
security block.

For issues with domain categorization, use the Sophos Intelix site to review the categorization and
security information. If a domain is miscategorized you can submit it for review at [Link]/reporturl.

Here are the three main things you learned in this chapter.

Sophos DNS Protection uses [Link] and [Link] for its service globally. To ensure consistent
behavior, only use Sophos DNS Protection as your DNS forwarders and ensure all public IP addresses
have been added to your locations. To test DNS Protection, use the FQDN [Link]. In
PowerShell use the command Resolve-DnsName.

If you see errors accessing websites, the Sophos DNS Protection root certificate needs to be installed
as a trusted certificate authority so block pages can be displayed. There are three types of block page
depending on the block reason: security, category (policy), and custom domain list. You cannot
override a security block.

For issues with domain categorization, use the Sophos Intelix site to review the categorization and
security information. If a domain is miscategorized you can submit it for review at
[Link]/reporturl.

Troubleshooting Sophos DNS Protection- 58

Copyright © 2024 Sophos Ltd

Troubleshooting Sophos DNS Protection- 59