Greetings Sophos Community,
We have a Windows network that connects our automotive group’s dealerships together. I’ve inherited a setup that I believe I can make more efficient by modifying our DNS settings in our Sophos firewalls. I have read BAlfson’s DNS Best Practice and think the secret sauce to making our network DNS queries more efficient is by modifying the Forwarders and setup Request Routing to our two internal Domain Controllers.
Currently all (4) of our Sophos firewalls are setup with our two domain controllers as DNS forwarders. The domain controllers are running DNS at our headquarters which have forwarders out to the Open DNS servers. Why the DC’s don’t forward to the firewall I’m not sure, maybe because of the Exchange server. This setup I believe results in all DNS queries from six dealerships are going internally into the DC’s. Then once the DNS resolution has been completed it may go out the firewalls.
As Bob suggested it would seem these locations using forwarders to Google/OpenDNS in the Sophos firewalls to resolve outside requests, and setup internal route requests to point to the DC’s (for internal use) for authentication and shared drive access would make the network much more efficient.
Does it make sense for 250 users DNS requests at six locations to go in and out of one location?
This is a brief description of our setup.
Dealership One - Headquarters: Sophos SG-210, (2) Windows Server 2012 R2 Domain Controllers, Exchange Server VM, Shared drive for domain user profiles, and (2) Windows Remote Desktop Servers.
Dealership Two: Sophos SG-135, Windows Remote Desktop Server.
Dealership Three: Sophos SG-135, Windows Remote Desktop Server.
Dealership’s Four, Five, and Six (Cluster): Sophos SG-210, Windows Remote Desktop Server, (3) dealerships connected together with SG-210 and (2) Sophos RED-50’s.
The four groups are connected internally via SSL VPN’s created in the firewalls.
I’d appreciate any recommendations. I think it’s also good for others to see examples of how others setup their networks. I may test tonight by logging in remotely, turning on the Request Routes to the DC’s and add Google DNS to one of the firewalls.
This thread was automatically locked due to age.