This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Change UTM DNS Server to other Internal DNS Server

Hello,

I saw already the DNS Best Practice Article and UTM Help Section, but still have questions how to change my DNS Server correctly. At the moment I use the utm as dns server, and I have already created all my internal devices as host objects with the dns name and reverse dns marked. The Clients receive the domain.local via DHCP and DNS Configuration via the UTM.

 

Web filtering SSL Proxy in Transparent Mode is active and i have also Multipath Routes defined:

Interfaces – Multipath Routes:

PC1 – Any – Internet IPv4 – External (WAN)

PC2 – Any – Internet IPv4 – DMZ VPN

 

Actual DNS Config with UTM

 

Under DNS – Global – Allowed Networks:

DMZ VPN Network

Internal Network

 

DNS Forwarders:

External Forwarders Google (Host Object)

 

Request Routing:

168.192.in-addr.arpa → UTM

33.172.in-addr.arpa → UTM

utm.local -> UTM

 

 

Planned Config with Linux DNS Server:

I have now installed an Internal Linux DNS Server with the following config:

192.168.0.5/24

GW: 192.168.0.1 (UTM)

DNS: 127.0.0.1

 

Under Network Protection – Firewall I have added:

Source: Linux DNS

Service:

HTTPS (443/tcp)

DNS (53/udp)

Destination: 8.8.8.8 (created Google DNS Host Object)

Allow

 

 

Questions:

 

  1. Allowed Networks: As I have created all Devices as Host Objects and allow recursive DNS, can I leave the Internal and DMZ Network here, even with the other Internal Linux DNS Server (192.168.0.5) as Forwarder specified?

 

  1. Request Routing: Do I have to change here the Target from UTM to the Linux DNS Server (domain.local -> Linux DNS) , and also the in adr apa networks target to the new dns server or can I leave still here the UTM and it will be sufficient when just under Forwarders the Linux DNS Server (192.168.0.5) is specified, what should send out the request to the External Google DNS Server

 

Thanks

br



This thread was automatically locked due to age.
  • Hallo,

    With "Internal (Network)" in 'Allowed Networks', your firewall rule is redundant.  If the DNS devices are to use the Linux DNS server, you will need a firewall rule for that.

    1. Leave 'Allowed Networks' as is.  Just make sure that DHCP assigns the Linux DNS server.
    2. The device that assigns IP addresses is the one that can "know" how to do rDNS.

    The DNS Best Practice KnowledgeBase article was copied from my DNS best practice post several years ago.  My post has been updated many times since.

    I still recommend Users -> Internal DNS server -> UTM -> 'DNS Forwarders' rather than Users -> Internal DNS server -> 'DNS Forwarders'

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks for the update, so now I get confused more with your answers :) 

    All Internal Networks are defined in Allowed Networks, but if I change the DNS from UTM (IP) to the other Internal DNS Server (IP), I would need the additional Firewall Rule as above (even if the other Internal DNS Server) is in the allowed networks range? 

    As the UTM will still be the DHCP Server, changing the DNS to the new Linux Server, the UTM should still know the rDNS?

    Users -> Internal DNS server -> UTM -> 'DNS Forwarders'

    Would there also be another approach possible (if a hop more ore less play no role):

    If I would keep the UTM as DNS Server in the Client settings, Clients request UTM DNS Server, UTM try to resolve (Internal), if requests is external forward to Linux DNS Server, Linux DNS Server forward request to External Forwarder? 

    thx

    br

    Sally

  • My answer assumed that the Linux DNS server was in "Internal (Network)" -- is that not the case?  If it is, traffic within the LAN isn't seen by the UTM.  I assumed that the Linux DNS server would ask the UTM for external name resolution.  I think it's easier and clearer to do Users -> Internal DNS server -> UTM -> 'DNS Forwarders' than to have to create Request Routes in the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob! Yes, the Linux DNS Server is in the internal Network (Clients Network). Let's assume I want to go the more difficult route :) how do I have to configure request routing correctly ? 

    Thx

    Sally

  • You would need an RR that pointed at the Linux DNS server for each internal domain.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • thx, so i would point my .local domain to Linux DNS Server under RR. But do i still need then the for example 168.192.in-addr.arpa created entries for the internal networks? If yes should they point to the Linux DNS Server as well?

    Global Allowed Networks Internal Networks can still be defined, and have not to be removed, if i understand correct.

    When RR is defined, what do i need to add under Forwarders tab?

    Thx

    br

    Sally

     

  • If the UTM is the DHCP server for the clients, no Request Route is needed for rDNS.

    The Forwarders list should stay the same.

    Please let us know your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA