[SOLVED]DNS best practice?

There are two ways to configure DNS:

One way:
- Allowing DNS outgoing for your internal nameservers
- internal nameservers forwarding to ISP-DNS
- ASG pointing to internal nameservers 

Another way:
- ASG forwarding to ISP-nameservers
- "request routing" on ASG for internal domain pointing to internal nameservers
- internal nameservers forwarding to ASG
 
Which way do you use? And why? Which is "officially preferred"?
Both configurations seem working good for me, we run the first alternative on our cluster, the second in branch offices without internal dns (domain dns reachable via site2site-vpn).

Thanks for your ideas!
Thomas

  • In reply to Alexander Busch:

    Brilliant, Alex!  You appear to be the first to have had this insight. 

    I'll change the Best Practice post based on this discussion.

    I've also added a suggestion for a new feature: DNS Forwarders - allow a separate selection for Mail Protection.  If anyone sees this, please click on the link to vote for and comment on the idea to help make it more visible to Sophos.

    Here's the kind of Request Route I imagined:

    Perhaps you could start your thread by testing the difference this might make with a CDN that you use.  First, measure throughput and latency with OpenDNS as your Forwarder.  Then, create a Request Route so that you get name resolution from a server near you and test again.  Invite others to post their suggestions for other domains and edit your post to include their suggestions.

    Cheers - Bob

  • In reply to apijnappels:

    That's what I thought, Arno, but my research confirms Alex' description.  I wonder if your experience is just a reflection of the improvement in the throughput over the backbone of the Internet or if some CDNs do redirects based on geoip as we assumed.

    Your experience with Netflix is also very interesting.  Could you expand on that a bit?  Maybe including samples from your Web Filtering log when using your ISP's DNS instead of OpenDNS/Google?

    Cheers - Bob

  • In reply to BAlfson:

    BAlfson

    That's what I thought, Arno, but my research confirms Alex' description.  I wonder if your experience is just a reflection of the improvement in the throughput over the backbone of the Internet or if some CDNs do redirects based on geoip as we assumed.

    Your experience with Netflix is also very interesting.  Could you expand on that a bit?  Maybe including samples from your Web Filtering log when using your ISP's DNS instead of OpenDNS/Google?

    Cheers - Bob

     

    On Netflix, there's no difference on using my providers' DNS address or the OpenDNS or Google's DNS settings. If i'm in the Netherlands, I get Dutch Netflix (and subtitles). Last week I was in France and got the French subtitles (still using OpenDNS). Unless I VPN to my own UTM, then I get the Dutch subtitles again.

    For Office365 our services are hosted in European datacentre (due to not affected by the Patriot act). So maybe that also influences where DNS requests go...

    If there's any other CDN that I could test latency to, I will happily make some tests using different DNS servers for lookup.

  • In reply to apijnappels:

    apijnappels

     On Netflix, there's no difference on using my providers' DNS address or the OpenDNS or Google's DNS settings. If i'm in the Netherlands, I get Dutch Netflix (and subtitles). Last week I was in France and got the French subtitles (still using OpenDNS). Unless I VPN to my own UTM, then I get the Dutch subtitles again.

    For Office365 our services are hosted in European datacentre (due to not affected by the Patriot act). So maybe that also influences where DNS requests go...

    If there's any other CDN that I could test latency to, I will happily make some tests using different DNS servers for lookup.

     
    Hi Guys,
     
    just to add a bit of complexity to that. There is a thing called EDNS Client Subnet. See https://tools.ietf.org/html/rfc7871 . With that it would be possible for the cloud provider to get information of the IP or network originating the DNS query. So the geolocaiton problem should not affect user which are using public DNS Servers like Google.
    And after a little research, a lot of cloud providers and CDNs support EDNS - to specifically address this issue, see this. Except Microsoft! It is disappointing that Microsoft hasn't added support for EDNS in its geolocation mechanism used by Office 365.
    So at the moment I think the big problem is only with Office365.
     
    Best 
    Alex
  • In reply to Alexander Busch:

    Maybe this one, too:

  • In reply to Alexander Busch:

    Thanks, Alex and Arno - I've changed #2 in DNS best practice again.  I welcome your critiques.

    Cheers - Bob