This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SOLVED]DNS best practice?

There are two ways to configure DNS:

One way:
- Allowing DNS outgoing for your internal nameservers
- internal nameservers forwarding to ISP-DNS
- ASG pointing to internal nameservers 

Another way:
- ASG forwarding to ISP-nameservers
- "request routing" on ASG for internal domain pointing to internal nameservers
- internal nameservers forwarding to ASG
 
Which way do you use? And why? Which is "officially preferred"?
Both configurations seem working good for me, we run the first alternative on our cluster, the second in branch offices without internal dns (domain dns reachable via site2site-vpn).

Thanks for your ideas!
Thomas



BAlfson's DNS Best Practice's post has been moved to it's own highlighted thread here: https://community.sophos.com/utm-firewall/f/recommended-reads/122972/dns-best-practice
[edited by: FloSupport at 11:12 AM (GMT -7) on 18 Sep 2020]
Parents
  • Bob, you might want to edit the following in RED.

    In 'Request Routing', the internal DNS is used for reverse DNS of internal IPs (for example if your internal subnet is 172.16.20.0/24, you would have "20.16.172.in-addr.arpa" in the 'Domain' field and your internal DNS server(s) in 'Target Servers'. With that, the UTM can list machine names instead of internal IP addresses in the reports.

    I was able to figure out why resolution still wasn't working because I forgot to put the period (.) after arpa.  Might want to edit that line to make sure people include the period at the end.

     

    - Chris

    Breakingcustom Technologies, LLC.
    Sophos Silver Solution Partner
    Sophos XG16.5 Certified Architect / Sophos UTM Network Engineer

  • Interesting, Chris!  I wonder what is different since I think that this works for my clients with "arpa" instead of "arpa." in the Request Route.  What test are you making to see whether reverse DNS is working - are you looking at the Executive Report?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • regarding the anserver from Breakingcustom an yours:

     

    in RFC is the dns trailing dot needed for  fully-qualified (unambiguous) DNS domain names. The . (dot) is the root of DNS. An example: community.sohos.com. is in fact a fully-qualified (unambiguous) DNS domain names for this community. It will "spell" root com sophos community.

     

    Best regads

     

    Georg

  • Hi Chris and Georg,

    To see what's in the Bind configuration file in the UTM, I did:

    cat /var/sec/chroot-bind/etc/named.conf|more

    The result showed:

            zone "10.in-addr.arpa" IN {
                    type forward;
                    forward only;
                    forwarders {
                            10.x.y.7;
                    };
                    check-names ignore;
    };

    I then Googled to find that this appears to be correct usage in Bind: Configuring Reverse DNS in BIND 9.

    Does anyone have information to the contrary?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi there, I'm a newbie to Sophos and had a quick read through the thread to find out DNS Best Practices for XG Firewall but I presume the same applies as applies to UTM.

     

    One follow on question I had was - in the aim of avoiding users locally changing their local DNS IP settings, do you recommend as DNS best practice to setup a rule on the XG firewall to allow all tcp/udp on port 53 in/out to our external name servers and then have a rule below that says Block all tcp/udp in/out to all ip addresses on port 53?

    [Edit] Or is there a way for XG to simply forward' people's DNS requests (to your preferred external DNS providers) without them knowing, instead of having the possibility of someone manually configuring DNS and having it just not work.

    Thanks

    Gerry

  • Maybe someone else can answer that question, Gerry.  XG doesn't yet do enough to make it worthy of my time to learn it in detail like I know the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • You can simply create a NAT rule for all outgoing port 53 traffic where you change the destination to your own specified DNS server(s), but even better is to just forward it to your own UTM or AD (whichever you use in DHCP). In that case even custom specified DNS servers will be diverted to the DNS servers of your choice.

    I'm not a real XG pro, but I assume it's possible to create DNAT rules .


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • You can simply create a NAT rule for all outgoing port 53 traffic where you change the destination to your own specified DNS server(s), but even better is to just forward it to your own UTM or AD (whichever you use in DHCP). In that case even custom specified DNS servers will be diverted to the DNS servers of your choice.

    I'm not a real XG pro, but I assume it's possible to create DNAT rules .


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • Hi Apijnappels  - thanks for the reply and good ideas there. I will be trying a few things this week with DNS. I need to try request routing as well. From what I understand if I put this place I might not need a rule at all for port 53 as it should use the DNS setup on the XG regardless. Will revert back here once I have tested it.