DNS resolutions does not provide the optimised routes

I have made several DNS lookups using Sophos DNS Protection to assess the routing of our traffic and have observed that the resolved destinations often do not align with optimised routes. For instance, connections to Office 365 are being routed to servers in Germany (800-900 km away) instead of utilising local 'front doors' situated just 10-200 km away, as when using our ISP's DNS or services such as 1.1.1.1 or 8.8.8.8. Are there plans to introduce more local DNS resolves, for example in Stockholm, to improve routing efficiency?


Also, is DNSSEC validation on the roadmap for SFOS/XGS? DNSSEC is getting more relevant now when Microsoft is rolling out DNSSEC and DANE for the MX records in Exchange Online.

Parents
  • Hi  

    We are aware of this issue and are looking at a couple of potential solutions. Over time, we certainly hope to expand our network of resolvers, but we are also planning to to introduce support for EDNS client subnet. This feature of DNS allows us to forward information about the IP subnet origin of queries to the authoritative DNS server, which can use that information to provide a service address that is closer to you.

    Regarding DNSSEC validation on SFOS/XGS - it is certainly in the backlog although we don't have a timeframe for that yet.

Reply
  • Hi  

    We are aware of this issue and are looking at a couple of potential solutions. Over time, we certainly hope to expand our network of resolvers, but we are also planning to to introduce support for EDNS client subnet. This feature of DNS allows us to forward information about the IP subnet origin of queries to the authoritative DNS server, which can use that information to provide a service address that is closer to you.

    Regarding DNSSEC validation on SFOS/XGS - it is certainly in the backlog although we don't have a timeframe for that yet.

Children