This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Improving DNS performance on company network

Greetings Sophos Community,

We have a Windows network that connects our automotive group’s dealerships together. I’ve inherited a setup that I believe I can make more efficient by modifying our DNS settings in our Sophos firewalls. I have read BAlfson’s DNS Best Practice and think the secret sauce to making our network DNS queries more efficient is by modifying the Forwarders and setup Request Routing to our two internal Domain Controllers.

Currently all (4) of our Sophos firewalls are setup with our two domain controllers as DNS forwarders. The domain controllers are running DNS at our headquarters which have forwarders out to the Open DNS servers. Why the DC’s don’t forward to the firewall I’m not sure, maybe because of the Exchange server. This setup I believe results in all DNS queries from six dealerships are going internally into the DC’s. Then once the DNS resolution has been completed it may go out the firewalls.

 

As Bob suggested it would seem these locations using forwarders to Google/OpenDNS in the Sophos firewalls to resolve outside requests, and setup internal route requests to point to the DC’s (for internal use) for authentication and shared drive access would make the network much more efficient.

 

 

Does it make sense for 250 users DNS requests at six locations to go in and out of one location?

This is a brief description of our setup.

Dealership One - Headquarters: Sophos SG-210, (2) Windows Server 2012 R2 Domain Controllers, Exchange Server VM, Shared drive for domain user profiles, and (2) Windows Remote Desktop Servers.

Dealership Two: Sophos SG-135, Windows Remote Desktop Server.

Dealership Three: Sophos SG-135, Windows Remote Desktop Server.

Dealership’s Four, Five, and Six (Cluster): Sophos SG-210, Windows Remote Desktop Server, (3) dealerships connected together with SG-210 and (2) Sophos RED-50’s.

The four groups are connected internally via SSL VPN’s created in the firewalls.

I’d appreciate any recommendations. I think it’s also good for others to see examples of how others setup their networks. I may test tonight by logging in remotely, turning on the Request Routes to the DC’s and add Google DNS to one of the firewalls.



This thread was automatically locked due to age.
  • #1) UTM needs to do split DNS forwarding.   Internal domain and internal Reverse DNS go to your DCs, external lookups need to go external.  No reason to add the overhead of an extra hop for external lookups originating from UTM.

    #2) If you use Standard Mode Web Proxy (recommended), then devices send the URL to UTM, and UTM resolves the DNS.   If UTM then queries an external resource for DNS resolution, you have minimized overhead again.   Standard Mode has several other technical advantages over Transparent mode.   For instance, Standard Mode can filter traffic on non-standard ports, while Transparent mode cannot.

    #3)  Your Windows clients should use the DCs for their DNS.   Other AD configurations are possible, but not for the faint of heart.   UTM is not intended as a replacement for your DC DNS servers.   Not sure if this was part of your question, but wanted to ensure that this was covered.

    #4) If you use Transparent Mode web filtering, you need to worry about resolving the special host name that UTM uses for warn and block pages.   I think it is "fw.passthru-notify.net", but I am working from memory.   The easiest way to ensure that this name will be resolvable is to have your DC DNS forward external traffic to UTM instead of to OpenDNS.  An alternative would be to create an entry for it in your internal DNS.

    #5) UTM will block lookups on the .TK domain, because it is reasonable to consider these resources to be not-business-related and frequently suspicious.   Your internal DNS servers do not have this ability.   Another reason to forward from the DCs to UTM.  

    #6) (Stating the obvious)  Make sure that you have done #1 before pointing DCs to UTM, otherwise you will have an infinite loop and your network traffic will fail and your boss and customers will be very unhappy.

    #7) DNS is cached at every level, so performance tuning may not produce any noticeable benefit.   If you have a saturated WAN link, putting a DC at that remote location is probably the best alternative for optimizing DNS lookups. 

  • Thank you Douglas for your input and recommendations,

    I guess my main goal is to improve the performance of our network. I also wanted to setup our remote locations to work on their own more by setting up their DNS to go external via UTM versus back to headquarters via SSL tunnels to the DC's then out. 

    I made the switch in the UTM's at the remote locations for DNS to go external to a Google DNS availability group, and setup a request routes to the DC's back at headquarters to resolve internally, plus for authentication. Everything seems to be working fine... not so sure we gained any performance improvements yet.

    Thank you again... I'll review each item in your response.

     

  • I get your point.   With UTMs at every site but DCs centralized, UTM with split DNS can act as a caching server for each location, which should work fine.   For the site(s) with DCs, the configuration could go either way.

  • Sean, I think Doug's comments are all in line with DNS Best Practice, and it sounds like you've got a good grasp of that post.  As noted in the post, it's not my ideas in most cases, it's a combination of experienced people in this Community. Looking for more speed?

    You mention SSL VPNs.  You will get equivalent secrecy, better throughput and less latency if you replace those with IPsec tunnels using "AES 128 PFS."

    If one of those RED 50s dies out of warranty, replace it with an SG 115 with a Network Protection subscription.  The 115 solution is faster, more flexible, and cheaper than a RED 50 with warranty extensions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA