Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 116 views
  • Users 0 members are here
Options
Suggested

Is "Use device's DNS settings" documented backwards?

Wayne Folta

The DHCP server documentation says:

  • DNS server: Specify the DNS servers you want the clients to contact. To specify Sophos Firewall as the primary and the secondary DNS server, select Use device's DNS settings. Alternatively, you can enter the IP addresses of the DNS servers you want the clients to contact.

But the behavior has always puzzled me. If I check the box, the external primary and secondary DNS server IPs are automatically entered and the fields are grayed out and cannot be edited. This appears to be the opposite of the documentation, and seems to act the opposite: my DHCP clients directly have the external servers when I look.

If I do the opposite and don't check the box and put the Sophos port's IP address in, the DHCP clients reflect this, and I assume query the firewall.

So is this documented backwards, or was it somehow changed over time, or am I just misunderstanding how it works?

Parents
  • +1

    Maybe it was worded badly in the past but "Device´s DNS setting" is referring to the SFOS Firewall itself. 
    This option will use the firewalls DNS config to the clients. 

    I will get this fixed in the online help to be more clear. 

    __________________________________________________________________________________________________________________

Reply
  • +1

    Maybe it was worded badly in the past but "Device´s DNS setting" is referring to the SFOS Firewall itself. 
    This option will use the firewalls DNS config to the clients. 

    I will get this fixed in the online help to be more clear. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Thanks so much. I've done a bit of testing that seemed to indicate I wanted to NOT check the box if I wanted clients to use the Sophos as the DNS server. But it always makes me worry.

    Follow-on question: I use DHCP4 for all my (IPv4) subnets, but I have one dual-stack subnet that I'm playing with IPv6.

    I'd like for the IPv6 clients on that subnet to use the Sophos as their DNS server, but the only way I see to do that is to fire up a DHCPv6 server... Except that seems to require that I actually want to manage IPv6 addresses and not do SLAAC. I've read that the RA could potentially advertise the DNS server directly instead of simply referring DHCPv6-using clients to get that info via DHCPv6.

    Is that making sense? I feel like, at this point, all of my IPv4 machines are being directed to the Sophos (though they can ignore that), but IPv6 machines I guess have no DNS guidance and either do their own thing or use IPv4 DNS instead. (They are all dual-stack IoT devices.)

  • 0 in reply to Wayne Folta

    Why are you not using Prefix Delegation for this? https://en.wikipedia.org/wiki/Prefix_delegation 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    ISP is not yet IPv6. I did actually implement PD a year ago and it worked... until it didn't and it seemed to cause serious stability issues. I think I caught the ISP experimenting with IPv6 and they eventually shut it down -- perhaps after seeing my traffic taking advantage of it.

    I've been too afraid to try PD again, since they still have not announced it's officially available. So I'm using an HE 6in4 tunnel.

    I did just turn on DHCPv6 and specified a lease range -- which the DHCP tab requires -- but then in the RA only checked the "other" option and not the option to manage IP addresses, so I think it's doing what I want without overriding SLAAC. (Will take some sleuthing to determine if the IoT devices are actually using the Sophos for IPv6 DNS queries or not. But I think I did the logical thing.)

Unfiltered HTML