This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM DNS requests from multiple internal VLANs to different public name servers

I am having problems determining the best plan of action to resolve my issue.  I have multiple internal VLANs that I would like to route DNS requests to various public name servers depending on the source network.  We have a multi domain AD forest running DNS servers that support the clients in each network.  I have set those local AD DNS forwarders to point to the UTM on all DCs.  All outbound requests filter through a single UTM and out a single Internet circuit.  The primary network is no big deal as it's using the built in Forwarders in the UTM global DNS settings.  There is no way that I can see to bind DNS settings for each additional segmented network under the DNS settings in the UTM.  My next thought is to use a NAT rule to intercept DNS traffic from the source network in question and send out to the correct public DNS server for that VLAN.  I'm uncertain if this is the correct way this should be handled though.  Please help me understand if this thinking is correct.  Thanks for the help in advance!

 



This thread was automatically locked due to age.
  • Hello Jerrod,

    Would it not be easier to set up the DHCP scopes to each network to utilise different DNS servers when they get their leases?

    You are correct, you could do this with DNATs where you would state "If a port 53 packet is coming from this network subnet to this internal UTM IP then forward it to an availability group of the intended DNS servers". Availability groups are great for something like this because you can put a list of target servers in there and it will select whichever one responds in first in list priority order.

    But frankly, I think setting up the DHCP scoping to assign to the relevant DNS servers would be a much better option

    Emile

  • Thanks for the quick response!  I should have explained my reasoning behind this in my first post.  We are looking at using a DNS content filtering solution similar to Cisco's Umbrella/OpenDNS for specific networks.  We still want to utilize the local dns for internal machine name resolution, so I would need to make sure those machines DNS settings are pointing internally and then use the forwarders option in AD DNS to forward on to UTM.  If there is an option locally in AD DNS to do split horizon DNS then please share, because that would definitely be easier for me.  My struggles tend to be alot around how Sophos UTM works internally.  It's not bad just different from other vendors I've used in the past.  Thanks for your help!  Any other potential options from the community that sound like a better plan?

  • Hi neighbor and welcome to the UTM Community!

    Take a look at DNS best practice.  If you can't answer your own question after that, please come back here and comment.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA