Sophos DNS Protection (Central)

Hello Sophos Community,

I currently use almost the full range of Sophos products, except for DNS Protection. I would like to hear your opinions on DNS Protection and get some insights on the questions below, especially from people who have used it or are currently using it.

1.  
Are there any benefits beyond the ability to create custom policies with blacklists, whitelists, and website categories? I am already implementing a similar structure using the web filtering policy within the XGS 4500 Firewall.

2.  
If I use DNS Protection policies in combination with the firewall's web filtering, how do the rules interact? Which policies take precedence, or do they overwrite each other?

3.  
Is the root certificate mandatory for all devices? While adding the certificate on Windows or macOS devices is manageable, it could be challenging for IoT devices or smartphones. Is it necessary for them as well?

4.  
I ran some tests on the firewall’s DNS connection:  
- Sophos DNS servers = 17ms  
- ISP DNS servers = 0.67ms  
Could this difference significantly impact network performance?

5.

I am currently using IPsec VPN with Sophos Connect.
I am not 100% sure if DNS queries are routed through our firewall's WAN public IP address or if they use the home network ISP public IP of each "home office user" as the DNS resolver. Any ideas on how I can verify this and how it should work normally?

Inside the Firewall Remote access VPN IPsec settings I am pointing towards our internal two dns server.
The windows DNS server will forward to the firewall local IP and the firewall to the current ISP.

6.
So, my main question is: Should I use DNS Protection (and Sophos DNS servers) instead of the ISP DNS servers I’m currently using?

Sorry for the wall of text Slight smile

Thanks for your help.