Simple DNS internal Server setup

I'm not sure if I understand your questions right, but I'll give it a try:

1) You would like to user servername.domain.tld instead of 192.168.1.x? In that case you can just make a network definition in Sophos UTM with the specific FQDN and the corresponding IP-address. Make sure tough that UTM is used for name resolution, otherwise you need to do this in another DNS-server

2) For public DNS names you need to register them with the hosting company where you register the DNS-name. If you would like to create a DNS-name in Sophos UTM and have it point to an external IP-address, yes that is also possible (same way as under #1).

Hi good day!

very much appreciated with your reply to my question. 

* 1) You would like to user servername.domain.tld instead of 192.168.1.x?  (yes sir!) and multiple servers on my internal network to work with naming resolutions. 

       i am confuse with the hostname on the Management > Webadmin Settings> HTTPS certificate > Hostname ____________ that is the DNS server hostname for naming resolution ? or             that is where the FQDN ?

       - and for making of host is on the Definitions & Users>Network Definitions>New Network Definition> add network Definition 

          Name : dns.test.server

           Type : Host

           IPv4 : this is the Local server right ? or internal IP.     

 DNS setting

           Hostaname : dns.test.server 

           Reverse DNS : check.

Am i missing something ?

Hello,

first of all: do you have an internal DNS-Server?

The UTM is not a DNS-Server, it acts as a DNS-Cache and a Forwarder to other DNS-Servers?

Using "static host" entries can substitute A-record for some pruposes, but that is no "real" DNS-Server.

Hi sir good day!

appreciated ur reply, 

first of all: do you have an internal DNS-Server?

     * we dont have internal DNS server

     * i would like to used sophos to be our internal DNS server to resolve the naming convention for our internal IP (for the IP address of our Servers)

The UTM is not a DNS-Server, it acts as a DNS-Cache and a Forwarder to other DNS-Servers?

     * i did setup a home software base Sophos UTM 9.7, i tried to simulate it on my VM and it works fine and simple for the UTM and for my Server. but still i have problem on the production environment every time i do d same on my test environment, the hostname by the way is production.local and for the firewall i put up a utm.production.local, and for my internal server is server.production.local. do i have to do something else on the target interface ? 

Using "static host" entries can substitute A-record for some purposes, but that is no "real" DNS-Server.

   * as long it can resolve naming that would be perfect, because the scenario is no ip should be type on the web in going to the server localy. server ip let say is 192.168.0.15 easier for the staff is to type only like server.production.local it more realistic right. 

thank you!

von

Thinking about what you are writing makes me believe, you are mixing and confusing some things about DNS here.

Let's try to put this straight!

About your screenshot: I think you are not telling the complete story here:

You were talking about internal (local) DNS / hostnames, but in your obfuscated field I notice some kind of public DNS name.

What are you trying to achieve?

See, DNS is working with a "zones" concept, you define a zone by giving it a name like "mycompany.int" or "bureau.local".

Then your hosts have names like "server1.mycompany.local", "server2.mycompany.local" or like "webserver.bureau.local" (for my other example) and so on.

It is important, not to use public DNS names for internal resources, especially, if you do not have your own internal DNS-server(s).
So there has been a convention to use ".internal" oder ".local" as the suffix for internal, private domains. This is very much like using 192.168.x.y addresses for private LANs.

The DNS server that has been assigned responsible for a certain zone like "mycopany.local" now starts looking for DNS-requests that reach the service and if these are looking for hostnames like "xxx.mycompany.local" it looks in its own zone to resolve that name to an ip address. If it has a valid entry, it hands out the IP address, if it doesn't, it hands out an error-code.
Most notable, that DNS-query ends here, there is no reason for the DNS-server to forward a request, if it was responsible for that zone.Even if you have two or more DNS server defined in the client settings, the first DNS server that is answering finishes the query. So either it has a valid entry, or the name is not resolved!!!

For DNS-names, that are public DNS, there is a concept called "forwarding". You can tell your internal DNS-Server to forward all zones, he is not respnsible for to an upstream DNS-server at your ISP or some public DNS-servers like Google 8.8.8.8 oder Cloudflare 1.1.1.1.

Next thing is which clients are using your DNS settings, obviously only internal LAN clients can use an internal DNS-server, even if this is only some static host settings on a UTM.
You cannot resolve from "outside" or to "outside" clients if the resource is in your private LAN ("192.168.x.y")

Normally, if a host is to be reached from internal LAN *AND* from outside (external), you use different DNS settings for the same host. This is called "split brain" DNS. This cannot be achieved with static host settings on the UTM.

So some motre information about your environment and your goal ould be very helpful to assist you further.

Thinking about what you are writing makes me believe, you are mixing and confusing some things about DNS here.

Let's try to put this straight!

About your screenshot: I think you are not telling the complete story here:

You were talking about internal (local) DNS / hostnames, but in your obfuscated field I notice some kind of public DNS name.

What are you trying to achieve?

See, DNS is working with a "zones" concept, you define a zone by giving it a name like "mycompany.int" or "bureau.local".

Then your hosts have names like "server1.mycompany.local", "server2.mycompany.local" or like "webserver.bureau.local" (for my other example) and so on.

It is important, not to use public DNS names for internal resources, especially, if you do not have your own internal DNS-server(s).
So there has been a convention to use ".internal" oder ".local" as the suffix for internal, private domains. This is very much like using 192.168.x.y addresses for private LANs.

The DNS server that has been assigned responsible for a certain zone like "mycopany.local" now starts looking for DNS-requests that reach the service and if these are looking for hostnames like "xxx.mycompany.local" it looks in its own zone to resolve that name to an ip address. If it has a valid entry, it hands out the IP address, if it doesn't, it hands out an error-code.
Most notable, that DNS-query ends here, there is no reason for the DNS-server to forward a request, if it was responsible for that zone.Even if you have two or more DNS server defined in the client settings, the first DNS server that is answering finishes the query. So either it has a valid entry, or the name is not resolved!!!

For DNS-names, that are public DNS, there is a concept called "forwarding". You can tell your internal DNS-Server to forward all zones, he is not respnsible for to an upstream DNS-server at your ISP or some public DNS-servers like Google 8.8.8.8 oder Cloudflare 1.1.1.1.

Next thing is which clients are using your DNS settings, obviously only internal LAN clients can use an internal DNS-server, even if this is only some static host settings on a UTM.
You cannot resolve from "outside" or to "outside" clients if the resource is in your private LAN ("192.168.x.y")

Normally, if a host is to be reached from internal LAN *AND* from outside (external), you use different DNS settings for the same host. This is called "split brain" DNS. This cannot be achieved with static host settings on the UTM.

So some motre information about your environment and your goal ould be very helpful to assist you further.

thank you for the reply,

the intention of my concern is to make my internal server ip to a naming convention locally. not for outside dns. 

and it was all running smooth on my test environment from my VM side, in which i have UTM9.7 software base, and connect my VM server and VM win10 to that UTM and it works fine, i just assigned the host name to be company.local for example, den after that i assigned the VM winserver to be server.company.local(192.168.2.35) and also the interface ip of the UTM tobe firewall.company.local(192.168.2.1). and i tried to nslookup on the win10 VM and it assigned my ip address to that specified name a gave.

no external naming resolution, just internal only for now, because if it will go outside or external we have to host it in any hosting like hostgator right? 

 my test environment

thank you, appreciated ur response sir

von

Just to be sure; did you also point your machines in the local LAN to the UTM as being DNS-server?

yes sir

local pc are static ip. and dns server is pointing to the UTM 

192.168.2.1 as dns server

thank you!

von

If you do an nslookup on the client (just nslookup with nothing else), what server do you get back?

If you have IPv6 it might be that not the UTM but an IPv6 DNS-server is replying instead of the UTM.

this is on the production environment 

Ha!

As you can see from your own screenshot, your production environment uses 8.8.8.8 as its DNS Server. Google-public DNS does not know about your internal DNS settings, you need to change your client's settings to use the internal IP of the Sophos UTM as your one and only DNS-server (just leave the second entry blank).

And disable IPv6 on the cllents, if using IPv4 only, you don't need two protocols.

i did try to look at it but im confuse, because that production environment i didnt configure it, they just ask help from me, can u guide me where should i go from that dns 8.8.8.8 because the physical interface and the lan interface i already change and target it to sophos interface, but still nothing happens. 

On the client type type following command:

ipconfig /all

and show us the output if you need to. 

The output should show you the DHCP server (that might be the router). That device is most likely also assigning the DNS server(s). If not, they may be manually set up on the client in the network settings.

i have access to ssl vpn to the production area, can i do it from my  side via ssl vpn connection. does it will show me info we need bout ipconfig /all?

You will need to configure either the clients manually (like I show in the screenshot below) or do it via DHCP settings (automatically assigned)

The IP address for the DNS here ist just an example. You put your Sophos IP here.