We'd love to hear about it! Click here to go to the product suggestion community
My local network is very naive.I have no AD; just a bunch of 40 Windows 7 computers plugged into the physical network (with a couple of Windows 10 and Linux boxes as well). There is no Windows server of any kind, and no DNS server aside from the Sophos box.I have a SG310 between my local network and the general internet. My DNS and DHCP configuration is thus: The address of the Sophos port to which my local network is connected is 192.168.1.1 Network Services | DNS: Allowed networks = my local network = 192.168.1.0 DNSSEC validation is checked DNS Forwarders are 184.108.40.206 and 220.127.116.11 Not using forwarders assigned by ISP nothing else is configured Network Services | DHCP: The interface is set to be my local network The DNS server 1 is set to 192.168.1.1. The DNS server 2 is 18.104.22.168 The default gateway is 192.168.1.1.This is about as basic as it gets. And I suspect that more people than are willing to admit it have a similar setup.My question is: is this setup correct? In particular, is the DNS configuration under DHCP correct?I think that DNS server 2 of 22.214.171.124 is totally wrong, but before I take it away I would like a second opinion.
there is an best practice guide in the communityhttps://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/32566/solved-dns-best-practice/109152#109152
But for your information your configuration does the following thing.
The DNS order for your for your client looks like this:First DNS Server 192.168.1.1 give you the answer for your dns request.If the UTM does not know the answer it ask the google dns server.
Your config with the second dns bypass the utm but implies that the utm cannot reach the dns server.
So if the utm cannot reach the dns server i think your client cannot reach it too.
In my opinion you do not need to configure an second dns server, but if you have the need of a second dns server do not use an dns server configured as dns forwarders int the utm.
Hi Len and welcome to the UTM Community!
I 100% agree with DKKDG.
If you have any Request Routes or any ways of resolving FQFNs to local IPs, you will want to disable DNSSEC.
Cheers - Bob