This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question Sophos UTM as Internal DNS Server with Domain.local

Hello,

I have some questions to the DNS Best Practice Configuration https://community.sophos.com/kb/en-us/120283 as I use the UTM with domain.local

 

Hostname: mysophos

 

Network Definitions:

Name: mysophos

Type: Host

IP: 192.168.0.1

DNS Settings: mysophos.domain.local

Reverse DNS: marked

 

All other Devices like Laptop, Printer, Access Point in DMZ, etc. are created as Host Definitions.

 

Network Services DNS

Allowed Networks:

Internal Network

DMZ Network

 

DNS Forwarders:

DNS Group – Availability Group with Cloudflare DNS 1 and Cloudflare DNS 2

User Forwarders by ISP – not checked

 

Request Routing:

domain.local to mysophos

 

My questions, with the setting request Routing domain.local to mysophos and created host definitions would this be enough for the internal dns resolution or do I have to add the 168.192.in-addr.arpa record for all networks as well, or just when I would like to have the names instead of ip address in the reports? Would this be the fastest way for Internal DNS Resolution with the UTM?

 

How can I check that the created DNS Forwarders to Cloudflare are working correct?

 

Thx



This thread was automatically locked due to age.
  • or do I have to add the 168.192.in-addr.arpa record for all networks as well?

    Yes, you need   in-addr.arpa. dns request route to you  internal dns server to. For Local UTM DNS entries you can activate this option:

    Definitions & Users > Network Definitions > Network Definitions>>DNS Settings>Reverse DNS

    + and all your Client DNS Settings should point to the UTM obviously

     

  • Thanks a Lot for your Information. 

    The Reverse DNS Settings for the Devices I had already created. 

    I added yet the in-addr.arpa records for all the Networks + DMZ pointing to the UTM

     

     

    The Internal Resolution works now fine. But the defined Forwarders of Cloudflare are not taken. Instead the ISPs Forwarders are used.

    I defined the Availability Group with the Cloudflare DNS Server under Forwarder, and disabled Use forwarders by ISP. 

     

    Is there anything else what I have to do that the URM take the Cloudflare DNS Servers? 

     

    Thx

    Best regards

    Sally

     

     

     

     

     

     

     

  • For others that pass by this thread, I recommend the DNS best practice post from which the KB article linked to above was copied.  The post is updated regularly, but the KB is rarely updated.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

     

    still have the issues with the forwarders, when using Policy Route Internal Network - Any - Internet Ipv4 - External (WAN), the forwarders from the ISP are taken, instead the Cloudflare Forwarders in the DNS Forwarder Availability Group..

     

    Any suggestion? 

     

    Thx

    Sally

     

  • Please show a picture of the DNS Forwarders box with the Host for Cloudflare DNS open in Edit.  Also, a picture of the Edit of the Policy Route.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

     

    please see here the Information. Regarding Policy Route I meant Multipath Rule

     

     

    Best regards

    Sally

  • Now, how about pictures of the 'DNS Forwarders' tab, the 'Request Routing' tab and the enabled rules on the 'Multipath Rules' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Please see here

     

     

     

     

  • Confirm that the DMZ and Internal networks are in 'Allowed Networks' on the 'DNS' 'Global' tab.

    I assume that you did that, so the only remaining issue is DHCP - please show pictures of the Edits of the DHCP servers for your networks.

    Cheers - Bob
    PS, I assume you have only one WAN connection since you only showed us one Multipath rule - is that right?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, i confirm under DNS - Global - Allowed Networks are Internal and DMZ Networks. DNSSEC Validation is marked.

     

    Please see here the DHCP Settings: