My local network is very naive.

I have no AD; just a bunch of 40 Windows 7 computers plugged into the physical network (with a couple of Windows 10 and Linux boxes as well).  There is no Windows server of any kind, and no DNS server aside from the Sophos box.

I have a SG310 between my local network and the general internet.  My DNS and DHCP configuration is thus:

  The address of the Sophos port to which my local network is connected is

  Network Services | DNS:
    Allowed networks = my local network =
    DNSSEC validation is checked
    DNS Forwarders are and
    Not using forwarders assigned by ISP
    nothing else is configured

  Network Services | DHCP:
    The interface is set to be my local network
    The DNS server 1 is set to
    The DNS server 2 is
    The default gateway is

This is about as basic as it gets.  And I suspect that more people than are willing to admit it have a similar setup.

My question is: is this setup correct?  In particular, is the DNS configuration under DHCP correct?

I think that DNS server 2 of is totally wrong, but before I take it away I would like a second opinion.

  • Hi LenSchrieber,

    there is an best practice guide in the community

    But for your information your configuration does the following thing.

    The DNS order for your for your client looks like this:
    First DNS Server give you the answer for your dns request.
    If the UTM does not know the answer it ask the google dns server.

    Your config with the second dns bypass the utm but implies that the utm cannot reach the dns server.

    So if the utm cannot reach the dns server i think your client cannot reach it too.

    In my opinion you do not need to configure an second dns server, but if you have the need of a second dns server do not use an dns server configured as dns forwarders int the utm.

    Best Regards

  • Hi Len and welcome to the UTM Community!

    I 100% agree with DKKDG.

    If you have any Request Routes or any ways of resolving FQFNs to local IPs, you will want to  disable DNSSEC.

    Cheers - Bob