Troubleshooting
Troubleshoot DNS Protection issues.
Access issues
Internet issues on Apple devices
Issue
You aren't able to access internet on iPhone devices but you can access it on other devices.
What to do
Your Apple devices might have iCloud Private Relay settings turned on. Turn off Limit IP Address Tracking on iPhone devices. For more information, see Prepare your network or web server for iCloud Private Relay.
Configured locations using private IP addresses
Issue
You're facing internet issues at your locations and DNS requests aren't resolved. This might be because you've added locations using private IP addresses. Private IP addresses, such as 172.x.x.x and 192.x.x.x won't work.
What to do
Configure the location using its public IP address. It's usually the IP address of your router's WAN interface.
Configured multiple servers for DNS resolution
Issue
DNS Protection isn't working for you because you've configured multiple servers for DNS resolution. This might also be because you've configured a separate DNS server for resolving IPv6 addresses. DNS Protection is an IPv4-based DNS service that is also capable of resolving IPv6 addresses. You don't need a separate IPv6 DNS server to resolve IPv6 addresses.
What to do
To resolve this issue, do as follows:
- Use only DNS Protection to resolve public DNS requests.
- Turn off the IPv6 DNS services by modifying the DHCPv6 settings at a network level or configuring the IPv6 stack so it doesn't automatically get a DNS address.
Dashboard
The dashboard doesn't show the DNS traffic information
Issue
You can't see your DNS traffic information on the dashboard.
What to do
This might be because of "DNS hijacking" by your ISP. To resolve this issue, add the DNS Protection IP addresses to the DNS settings on your router. See DNS policies are not applied.
Locations
IPv6 address isn't accepted
Issue
The Add location page doesn't accept an IPv6 address.
What to do
Currently, we only support IPv4 for static IP addresses and hostnames.
No communication with DNS Protection IP addresses
Issue
Your systems can't communicate with DNS Protection IP addresses.
What to do
DNS Protection only accepts requests when they originate from configured locations. Use the DNS servers after you've configured your locations in Sophos Central.
DNS requests from a location are no longer being resolved
Issue
DNS Protection has stopped resolving DNS requests from a location.
What to do
This issue might occur for the following reasons:
- The FQDN you entered in the location isn't resolving to a valid IP address. You must check your DNS configuration to resolve this.
- The IP address you entered or the IP address for an FQDN in the location conflicts with another user. DNS Protection gives precedence to the user who created the location first. In this case, we recommend you ask your ISP for a unique IP address.
You can see alerts for these issues on the Alerts page in Sophos Central.
Policies
A website is wrongly categorized
Issue
You think that a website is wrongly categorized.
What to do
You can do one of the following tasks:
- Create a custom domain list, add that website to the list, and add the list to a policy to allow or block the website. See Add a policy and Domain lists.
-
Submit a recategorization request at Sophos Support.
To do this, do as follows:
- Under Submit a Sample, click Web Address (URL).
- In Web Address (URL), enter the website you want us to recategorize.
-
In Product/Services, select Sophos XG Firewall.
Note
Sophos Firewall has the same website categories as DNS Protection.
-
In Comments, mention that this recategorization request is for DNS Protection, not Sophos Firewall. You can also add other details about your request.
- Add your personal details.
- Click Submit URL.
Updated policy isn't immediately enforced
Issue
You updated a policy to block a previously allowed domain. The policy isn't immediately enforced, and you can still access the domain.
What to do
This occurs if the domain you've blocked has a long DNS time to live (TTL). In this case, the domain is accessible until its DNS TTL expires.
Domains
Allowed domain is blocked
Issue
You've allowed a domain using a custom domain list but DNS Protection blocks it.
What to do
This might be because the domain is a security risk. DNS Protection always blocks sites SophosLabs flags as a threat or security risk.
Dynamic DNS
Cloudflare configuration
Issue
If you set up an A record on a domain registered with Cloudflare, your configuration switches to "Proxy mode". In this configuration, the A record returns a Cloudflare IP address, not the IP address you specify. This isn't ideal if you want to create a DynDNS entry to point to your IP address.
What to do
In Cloudflare, set Proxy status to DNS only to ensure your DNS entry points to the IP address you specify.
Installers
Can't access block pages
Issue
You can access the DNS Protection welcome page, but when you visit a site blocked by a DNS Protection policy, you see the original site and not a block page.
You won't see the block page if your firewall isn't configured to use DNS Protection to resolve domain names and is filtering traffic in web proxy mode with Pharming Protection turned on. This causes the firewall to send web connections to the IP address it gets from its DNS server instead of using DNS Protection to redirect them to the block page.
What to do
Use one of the following options:
- Configure your firewall to use DNS Protection as its DNS server.
- Turn off pharming protection.
-
Turn off firewall web filtering and TLS decryption on connections to the DNS Protection block page service as follows:
- Create an FQDN object for the name
blockpage.dnsprotection.sophos.com
. - Create a firewall rule that allows all HTTP and HTTPS service traffic. The source network must be your internal zones and networks, and the destination must be the WAN zone. Use the new FQDN object to specify the destination networks. Set an Allow action, and don't turn on any web filtering options.
- Create a TLS rule that allows HTTPS connections to the block page service without decryption, using the same selection criteria as the firewall rule but with a Do not decrypt action.
- Create an FQDN object for the name
More resources