Domain Name poisoning attacks and Sophos XG Protection

I have written about DNS security and Sophos XG firewall protection but didn't include Domain Name poisoning attacks in the DNS security because it is nothing to do with DNS traffic. It is extra web protection for Sophos XG users. The Domain name poisoning causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer. 

The Sophos Firewall is offering a feature called "Pharming protection". Pharming protection protects users against domain name poisoning attacks by repeating DNS lookups before connecting. 

Enabling or Disabling this at:  Go to Protect > Web > General Settings > Advanced Settings > Enable pharming protection

Let Check how will it protect you: will resolve you with many IPs as 

Non-authoritative answer:
Addresses:  2620:1ec:c11::200


But somehow A hacker has overwritten my host file and redirected this traffic on a fake IP as example


Pinging [] with 32 bytes of data:
Reply from bytes=32 time=8ms TTL=59
Reply from bytes=32 time=7ms TTL=59
Reply from bytes=32 time=11ms TTL=59
Reply from bytes=32 time=9ms TTL=59

Now "Pharming Protection" Feature is not enabled on my Sophos XG firewall

Fig 1.1-Sophos Dashboard

as I am trying to access the and I got this error message

My traffic is redirecting toward the fake Server ( which is fake IP for the and hacker will success to get your traffic and maybe you entered username and password also. 

Now I am going to enable the "Pharming Protection" on the Sophos XG Firewall and test the same again:

Trying to access the again:

This website is working fine but still, my system's local DNS is resolving to

How to Pharming Protection is Working?
  • I typed into the browser and hits enter.
  • The host will use its host's file or DNS cache or the configured DNS servers to resolve the to IP address
  • The host will create a TCP session to IP address and will send an HTTP GET (80) or Client Hello (443).
  • The Firewall's web proxy service will look in the host field of the HTTP GET packet or the SNI (server name identifier) field of the Client Hello packet and determine whether the user is allowed to reach this host based on the URL filtering configuration.
  • If they are allowed to reach this host, the firewall will then re-resolve the host using its configured DNS Servers.
  • The proxy will then make the request to the IP that the XG Firewall has resolved for and serve the web page.

What is Configured DNS server can't resolve Domain Name:
  • In case the proxy cannot resolve, XG Firewall will use the IP address resolved by the host in step 2 and serve the web page. however, UTM will send a Host not found error page.

In the next article, I will discuss an issue with "Pharming Protection" and Bridge mode of Sophos XG Firewall.

An Article By Deepak Kumar