Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Integrate Sophos DNS Protection into Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. 

______________________________________________________________________________________________________________________________________


Table of Contents

Overview

Sophos DNS Protection integrates nicely into Sophos Firewall within a short time, but it needs some consideration of what you do in SFOS to not break your network. 

Consideration:

DNS Protection can be applied to the client in two different approaches: 

  • 1. You can add the Sophos DNS Server to the Sophos Firewall
  • 2. You can add the Sophos DNS Server to the Clients via DHCP from the Sophos Firewall
  • (You can also do both)

Let's discuss the ups/downsides of both approaches: 
1. You can add the Sophos DNS Server to the Sophos Firewall

  • Pro:
    There’s only one change in SFOS. 
    It does not interrupt the DNS network flow. 
    It reduces the number of DNS requests, as SFOS caches the DNS answers. 
  • Con: 
    It might reduce the reporting because every client asks the Firewall and not Sophos DNS directly.

2. You can add the Sophos DNS Server to the Clients via DHCP from the Sophos Firewall

  • Pro: 
    You have full visibility of all DNS requests in Sophos DNS.
  • Con:
    It likely breaks your Windows domain, as Windows needs a DNS request route (domain.local request route to the AD server). 
    The DNS requests are higher due to no Caching. 


Installation: 

If you decide to add the Sophos DNS Server to the Sophos Firewall, you only have to add both Servers of the DNS Server to the Firewall itself.
Network - DNS:

Both servers you’ll find in My Products - DNS Protection - Installers

Verify you are applying the Sophos Firewall as a DNS Server to the Clients via DHCP: 

If not - Consider the next step as an alternative to approach this, but I would recommend using DHCP to install the Sophos Firewall as a DNS Device for Clients.  


NAT Redirect of DNS:

Another consideration in SFOS is to redirect all DNS Traffic to the Firewall to prevent some clients from using another DNS Server. 

We are following the same principle as in the NTP Redirect: Sophos Firewall: Using NAT to achieve NTP proxy like functionality 

 

Our NAT Rule picks up all DNS going to the Internet and redirects it to one of the Interfaces of the Firewall. 
This will redirect Port 53 to the Firewall, and the Client will not notice any change. 
For example, even a non existing DNS Server gives the answer:


Because the firewall replies to it using Sophos DNS Protection. 

______________________________________________________________________________________________________________________________________



Edited TAGs
[edited by: emmosophos at 4:43 PM (GMT -7) on 11 Mar 2024]