Godaddy Domain and Subdomain Forwarding times out without forwarding, unexpectedly, when using a Sonicwall Firewall.
Domain Forwarding is typically used to redirect a user to a different website when they type in a URL in a browser. In this case, the forwarding will time out – with either a browser 404 error – or a CONNECTION_TIMED_OUT message. DNS resolution will work properly – subdomain.domain.com for example will return the correct A record, pointing to Godaddy’s IP addresses.
The domain redirect may work sporadically on some phones or computers where traffic is not directly passing through a Sonicwall firewall.
The reason for the failed domain forwarding is that by default the Sonicwall enables TCP Packet Sequence Randomization which causes Godaddy’s Domain Forwarding service to break. When doing packet analysis in Wireshark, we saw TCP ACK connections out of sequence and dropped connections.
To fix this issue:
- Login into the IP address of the Sonicwall firewall.
- Go to http://{firewall.ip.address}/diag.html – You will get a warning about Advanced Settings
- Click on Internal Settings.
- Untick the box: “Enable TCP sequence number randomization”
- Scroll up and click Accept.
- Click Close.
- Reboot the firewall.
Verify you can now access a Domain forwarded address. Note that servers behind the firewall will be slightly more vulnerable to host identification by disabling this TCP Sequence Randomization. But in this case, it would be a fairly targetted attack, so the overall risk is low.
