There are two ways to configure DNS:
One way:
- Allowing DNS outgoing for your internal nameservers
- internal nameservers forwarding to ISP-DNS
- ASG pointing to internal nameservers
Another way:
- ASG forwarding to ISP-nameservers
- "request routing" on ASG for internal domain pointing to internal nameservers
- internal nameservers forwarding to ASG
Which way do you use? And why? Which is "officially preferred"?
Both configurations seem working good for me, we run the first alternative on our cluster, the second in branch offices without internal dns (domain dns reachable via site2site-vpn).
Thanks for your ideas!
Thomas
BAlfson's DNS Best Practice's post has been moved to it's own highlighted thread here: https://community.sophos.com/utm-firewall/f/recommended-reads/122972/dns-best-practice
[edited by: FloSupport at 11:12 AM (GMT -7) on 18 Sep 2020]