Troubleshooting

Issue

You aren't able to access internet on iPhone devices but you can access it on other devices.

What to do

Your Apple devices might have iCloud Private Relay settings turned on. Turn off Limit IP Address Tracking on iPhone devices. For more information, see Prepare your network or web server for iCloud Private Relay.

Issue

You're facing internet issues at your locations and DNS requests aren't resolved. This might be because you've added locations using private IP addresses. Private IP addresses, such as 172.x.x.x and 192.x.x.x won't work.

What to do

Configure the location using its public IP address. It's usually the IP address of your router's WAN interface.

Issue

DNS Protection isn't working for you because you've configured multiple servers for DNS resolution. This might also be because you've configured a separate DNS server for resolving IPv6 addresses. DNS Protection is an IPv4-based DNS service that is also capable of resolving IPv6 addresses. You don't need a separate IPv6 DNS server to resolve IPv6 addresses.

What to do

To resolve this issue, do as follows:

1. Use only DNS Protection to resolve public DNS requests.
2. Turn off the IPv6 DNS services by modifying the DHCPv6 settings at a network level or configuring the IPv6 stack so it doesn't automatically get a DNS address.

Issue

You can't see your DNS traffic information on the dashboard.

What to do

This might be because of "DNS hijacking" by your ISP. To resolve this issue, add the DNS Protection IP addresses to the DNS settings on your router. See DNS policies are not applied.

Issue

The Add location page doesn't accept an IPv6 address.

What to do

Currently, we only support IPv4 for static IP addresses and hostnames.

Issue

Your systems can't communicate with DNS Protection IP addresses.

What to do

DNS Protection only accepts requests when they originate from configured locations. Use the DNS servers after you've configured your locations in Sophos Central.

Issue

DNS Protection has stopped resolving DNS requests from a location.

What to do

This issue might occur for the following reasons:

• The FQDN you entered in the location isn't resolving to a valid IP address. You must check your DNS configuration to resolve this.
• The IP address you entered or the IP address for an FQDN in the location conflicts with another user. DNS Protection gives precedence to the user who created the location first. In this case, we recommend you ask your ISP for a unique IP address.

You can see alerts for these issues on the Alerts page in Sophos Central.

Issue

You think that a website is wrongly categorized.

What to do

You can do one of the following tasks:

• Create a custom domain list, add that website to the list, and add the list to a policy to allow or block the website. See Add a policy and Domain lists.

• Submit a recategorization request at Sophos Support.

  To do this, do as follows:

  1. Under Submit a Sample, click Web Address (URL).
  2. In Web Address (URL), enter the website you want us to recategorize.

  3. In Product/Services, select Sophos XG Firewall.

     Note

     Sophos Firewall has the same website categories as DNS Protection.

  4. In Comments, mention that this recategorization request is for DNS Protection, not Sophos Firewall. You can also add other details about your request.

  5. Add your personal details.
  6. Click Submit URL.

Issue

You updated a policy to block a previously allowed domain. The policy isn't immediately enforced, and you can still access the domain.

What to do

This occurs if the domain you've blocked has a long DNS time to live (TTL). In this case, the domain is accessible until its DNS TTL expires.

Issue

You've allowed a domain using a custom domain list but DNS Protection blocks it.

What to do

This might be because the domain is a security risk. DNS Protection always blocks sites SophosLabs flags as a threat or security risk.