Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
______________________________________________________________________________________________________________________________________
Sophos DNS Protection integrates nicely into Sophos Firewall within a short time, but it needs some consideration of what you do in SFOS to not break your network.
DNS Protection can be applied to the client in two different approaches:
Let's discuss the ups/downsides of both approaches:
1. You can add the Sophos DNS Server to the Sophos Firewall
2. You can add the Sophos DNS Server to the Clients via DHCP from the Sophos Firewall
If you decide to add the Sophos DNS Server to the Sophos Firewall, you only have to add both Servers of the DNS Server to the Firewall itself.
Network - DNS:
Both servers you’ll find in My Products - DNS Protection - Installers
Verify you are applying the Sophos Firewall as a DNS Server to the Clients via DHCP: 
If not - Consider the next step as an alternative to approach this, but I would recommend using DHCP to install the Sophos Firewall as a DNS Device for Clients.
Another consideration in SFOS is to redirect all DNS Traffic to the Firewall to prevent some clients from using another DNS Server.
We’re following the same principle as in the NTP Redirect: Sophos Firewall: Using NAT to achieve NTP proxy like functionality
Our NAT Rule picks up all DNS traffic going to the Internet and redirects it to one of the firewall's Interfaces.
This will redirect Port 53 to the Firewall, and the Client will not notice any change.
For example, even a non existing DNS Server gives the answer:
Because the firewall replies to it using Sophos DNS Protection.
______________________________________________________________________________________________________________________________________
Quote