DNS but how does it fit with Sophos other Products

Hello Sophos-Team,

as feedback to why to use Sophos DNS I do not understand:

- Transmission to Uplink DNS is not encrypted (DNS over HTTPS or DNS over TLS)

- DNS Validation is not done too DNSsec

The Current Products in the grand scheme of things are sufficient and already prove to be a challenge.

If your Infrastructure is protected by:

- Sophos XGS Firewall

- Sophos Intercept X Adv. with XDR (for Server too)

- And you setup your DNS Chain to best practice. (Client -> Firewall -> Domain Controller (or) Public DNS

The Sophos XGS Firewall does already have DNS request routing and does this fairly good and encourages Best Practice.

Now with all of the Products active you have three different Screens to worry about blocked content:

- Sophos Endpoint Protection (Web Control - SSL Inspection - Application Control)

- Sophos Firewall (Web Control Policy - SSL Inspection - Application Control)

This would make troubleshooting a mess if things are not centrally Controlled and Managed. What I mean to say is to be able to have one plane of glass that works with all of the great security solutions Provided. 

Plus atm DNS Querys are Super slow. ;)

Sincerely

Val.

  • As far as I know there is no way to enable DNS over TLS or DNS over HTTPS from Sophos Firewall to Sophos Central DNS? This would be the big advantage, to compete with companies such as Cloudlfared, Quad9 and Adguard DNS

  • Thanks very much for your feedback.

    Using secure transports is something that is on our roadmap after the release of version 1.

    The resolver does perform DNSSec validation. I'll reach out to you over DM if you're willing to give us a bit more detail of your concerns here.

    Managing all these products in Sophos Central gives us the opportunity to combine alerts over time. For example, the recent changes to the main navigation Central are just the first step in a range of improvements that will include customizable dashboards that will combine output from multiple products on a single screen. 

    DNS query response is mainly a factor of the location of our resolver services, which is still limited but which will expand by the time we reach the full release for the product.

  • Yeah sure I am happy to help. 

    The best part is that I have a complete homelab to play with and all is powered by Sophos. 

    Sophos Endpoint Security with XDR - Sophos XGS Firewall XStream Bundle with SSL-Inspection DPI Engine - For now I disabled DNS because the requests took quite some time but can reenable them in just a few min...

    All is connected with Sophos Central. ^^

    Sincerely

    Val.

  • That is why I gave this feedback and would be awesome to have. Makes the DNS Protection more viable as a uplink Resolver. Then again why double block when you have a great Firewall Product that does exactly that with Web Control. ;)

  • Will Sophos have public DNS resolvers that regular users can point to for malware protection? Or will it be for Sophos Firewall customers only? Since they seem to be heavily invested in DNS now I imagine they would offer something similar to other public DNS resolvers with adware/malware/parental site blocking eventually.

    Of course Sophos probably wants to keep their products within the Sophos Central ecosystem, but it would be a good way to broaden their exposure to different areas.

  • While we don't have any plans right now to extend availability of the product to home users or folks who aren't Sophos customers, I wouldn't want to rule it out completely.

    Our immediate focus is to get the service up and running and delivering value for our Sophos Firewall customers.

  • This TRIplicity will be really confusing and hard to maintain for the customers (CIXA,FW,DNS - its all URL filtering.

    Imho CIXA URL filtering and DNS protection should be "somehow" merged together, which should be easy from technical point of view.

    Also many customers will worry about slow DNS, therefore it would be nice if this could offload to the firewall.

  • Yes, I understand your concerns. We are certainly considering this as a challenge for the future to improve how different policies for different types of filtering in different products interact, and to give customers a way to express policy in one UI and have it take effect across different products. 

  • Basically it is the same function which is in CIXA, so as long as those 2 functions will be 1:1 you can create "sync on" button, but it is clear that integration between CIXA,FW and DNS protection will require deeper analysis.

    This can be a really good solution for Guest networks and unmanaged endpoints, but I'm not convinced that customers will be willing to change the main DNS, as it will be really hard to provide the same level of fast response and reliability as for example Google DNS (8.8.8.8) all around the globe.