The DHCP server documentation says:
But the behavior has always puzzled me. If I check the box, the external primary and secondary DNS server IPs are automatically entered and the fields are grayed out and cannot be edited. This appears to be the opposite of the documentation, and seems to act the opposite: my DHCP clients directly have the external servers when I look.
If I do the opposite and don't check the box and put the Sophos port's IP address in, the DHCP clients reflect this, and I assume query the firewall.
So is this documented backwards, or was it somehow changed over time, or am I just misunderstanding how it works?