DNS and DHCP

My local network is very naive.

I have no AD; just a bunch of 40 Windows 7 computers plugged into the physical network (with a couple of Windows 10 and Linux boxes as well).  There is no Windows server of any kind, and no DNS server aside from the Sophos box.

I have a SG310 between my local network and the general internet.  My DNS and DHCP configuration is thus:

  The address of the Sophos port to which my local network is connected is 192.168.1.1

  Network Services | DNS:
    Allowed networks = my local network = 192.168.1.0
    DNSSEC validation is checked
    DNS Forwarders are 8.8.8.8 and 8.8.4.4
    Not using forwarders assigned by ISP
    nothing else is configured

  Network Services | DHCP:
    The interface is set to be my local network
    The DNS server 1 is set to 192.168.1.1.
    The DNS server 2 is 8.8.8.8
    The default gateway is 192.168.1.1.

This is about as basic as it gets.  And I suspect that more people than are willing to admit it have a similar setup.

My question is: is this setup correct?  In particular, is the DNS configuration under DHCP correct?

I think that DNS server 2 of 8.8.8.8 is totally wrong, but before I take it away I would like a second opinion.

  • Hi LenSchrieber,

    there is an best practice guide in the community
    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/32566/solved-dns-best-practice/109152#109152

    But for your information your configuration does the following thing.

    The DNS order for your for your client looks like this:
    First DNS Server 192.168.1.1 give you the answer for your dns request.
    If the UTM does not know the answer it ask the google dns server.

    Your config with the second dns bypass the utm but implies that the utm cannot reach the dns server.

    So if the utm cannot reach the dns server i think your client cannot reach it too.

    In my opinion you do not need to configure an second dns server, but if you have the need of a second dns server do not use an dns server configured as dns forwarders int the utm.

    Best Regards
    DKKDG

  • Hi Len and welcome to the UTM Community!

    I 100% agree with DKKDG.

    If you have any Request Routes or any ways of resolving FQFNs to local IPs, you will want to  disable DNSSEC.

    Cheers - Bob