Availability Groups and internal DNS resolution by UTM as DNS server

Hi all,

at first I wish you all a happy new year.

I'm using the latest UTM release and want to test the Availability Group in the Network Definitions.

My use case: I'm accessing my file server by using an alternate DNS name, added to the host object of the file server in the Network Definitions of the UTM so that this name can be resolved by the UTM which is the DNS server for my internal network. This is working fine. Now I'm thinking about setting up a second file server which should be reachable by the same name when the primary file server is unavailable.

For this, an Availability Group is a good way. I have no need for load balancing which doesn't work for services running in the same network where the clients systems are connected to.

I tried this out by deleting the alternate name from the host object in the Network Definitions and then set up an Availability Group using this alternate name with adding the two hosts which are used as file servers. The resolution of the Availbality Group to the host IP address works perfect and changes by changing the sequence of the hosts. But if trying to access the file server by the name of the Availability Group doesn't work. Doing a 'nslookup' on the client shows the UTM as DNS server but the name can't be resolved by the UTM. Is this a behavior of the UTM by design? Are Availability Groups not resolved as DNS names in the UTM? What do I have to set up for getting my use case working?

Thank you and kind Regards


Edit of description
[bearbeitet von: TheExpert um 6:39 PM (GMT -8) am 6 Jan 2021]
  • Availability groups are not the same as DNS as you have found out. An availability group can be used by the UTM itself to failover to the next machine if the current is unavailable.

    We use this in ie. as DNS-resolver; the availability group that is configured as our DNS resolver has a few different external DNS-servers in them so there's always DNS resolution if a server fails.

    We also use an availability group with all our AD domain controllers in it in the order that we would like them to be probed; so 1st is DC on site, second is DC behind the fastest connection, etc.

    That way usually the DC on-site will be queried for RADIUS and AD SSO, but if it should be unavailable it just queries another DC behind a VPN-connection.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • Hallo,

    As apijnappels said, you can't solve your problem in a way similar to an actual name server.  Note that the log file is "DNS Proxy" instead of "DNS Server."  The Availability Group solution is the only way to have failover for two internal servers - I can't think of any other solution possible without a separate, full DNS Server.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA