DNS but how does it fit with Sophos other Products

Hello Sophos-Team,

as feedback to why to use Sophos DNS I do not understand:

- Transmission to Uplink DNS is not encrypted (DNS over HTTPS or DNS over TLS)

- DNS Validation is not done too DNSsec

The Current Products in the grand scheme of things are sufficient and already prove to be a challenge.

If your Infrastructure is protected by:

- Sophos XGS Firewall

- Sophos Intercept X Adv. with XDR (for Server too)

- And you setup your DNS Chain to best practice. (Client -> Firewall -> Domain Controller (or) Public DNS

The Sophos XGS Firewall does already have DNS request routing and does this fairly good and encourages Best Practice.

Now with all of the Products active you have three different Screens to worry about blocked content:

- Sophos Endpoint Protection (Web Control - SSL Inspection - Application Control)

- Sophos Firewall (Web Control Policy - SSL Inspection - Application Control)

This would make troubleshooting a mess if things are not centrally Controlled and Managed. What I mean to say is to be able to have one plane of glass that works with all of the great security solutions Provided. 

Plus atm DNS Querys are Super slow. ;)



Parents Reply Children
  • Yes, I understand your concerns. We are certainly considering this as a challenge for the future to improve how different policies for different types of filtering in different products interact, and to give customers a way to express policy in one UI and have it take effect across different products. 

  • Basically it is the same function which is in CIXA, so as long as those 2 functions will be 1:1 you can create "sync on" button, but it is clear that integration between CIXA,FW and DNS protection will require deeper analysis.

    This can be a really good solution for Guest networks and unmanaged endpoints, but I'm not convinced that customers will be willing to change the main DNS, as it will be really hard to provide the same level of fast response and reliability as for example Google DNS ( all around the globe.