Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 56 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 379153 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SOLVED]DNS best practice?

tbrandl

There are two ways to configure DNS:

One way:
- Allowing DNS outgoing for your internal nameservers
- internal nameservers forwarding to ISP-DNS
- ASG pointing to internal nameservers 

Another way:
- ASG forwarding to ISP-nameservers
- "request routing" on ASG for internal domain pointing to internal nameservers
- internal nameservers forwarding to ASG
 
Which way do you use? And why? Which is "officially preferred"?
Both configurations seem working good for me, we run the first alternative on our cluster, the second in branch offices without internal dns (domain dns reachable via site2site-vpn).

Thanks for your ideas!
Thomas



BAlfson's DNS Best Practice's post has been moved to it's own highlighted thread here: https://community.sophos.com/utm-firewall/f/recommended-reads/122972/dns-best-practice
[edited by: FloSupport at 11:12 AM (GMT -7) on 18 Sep 2020]
  • 0
    Good point, BD.  I was just thinking about avoiding .com.  Although there are still a lot of internal domains with .local, given the choice, something like .loc, .home or .office is better.  Check out the post and the Changelog. [;)]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I'm having an issue with DNS that I can't seem to figure out.  I would greatly appreciate any and all help!!

    Under DNS > Global > empty
    Forwarders > OpenDNS & Internal DNS (DC) & Use forwarders ISP(unchecked)
    Request Routing > mydomain.com > Internal DNS (DC) & .in-addr.arpa for each subnet > Internal DNS (DC)
    UTM is also joined to domain under SSO

    When I use DNS lookup from UTM I'm able to resolve IP to hostnames and vise versa, but reporting only resolves a few entries.  On my DNS server I have correct records and zones for forward and reverse.  

    Any ideas???

    Thanks,

    James
  • 0
    So is Request routing the same as Conditional Forwarders in Windows Server?

    Thanks?

    JK

    JK

    CompKickers

  • 0 in reply to JohnKenny
    So is Request routing the same as Conditional Forwarders in Windows Server?

    Thanks?

    JK


    Yes it is the same.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0
    Hi, James, and welcome to the User BB!

    Check out DNS Best Practice.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Any thoughts on using root hints over forwarders for Domain Controllers?
  • 0
    Root Hints should only be helpful when the Forwarders aren't available.  If you use the approach I've documented in this thread, the only time they wouldn't be available would be when the UTM is dead or removed.  Still, it doesn't "cost" anything to use root hints if no forwarders are available, I would leave that selected.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Bob, you might want to edit the following in RED.

    In 'Request Routing', the internal DNS is used for reverse DNS of internal IPs (for example if your internal subnet is 172.16.20.0/24, you would have "20.16.172.in-addr.arpa" in the 'Domain' field and your internal DNS server(s) in 'Target Servers'. With that, the UTM can list machine names instead of internal IP addresses in the reports.

    I was able to figure out why resolution still wasn't working because I forgot to put the period (.) after arpa.  Might want to edit that line to make sure people include the period at the end.

     

    - Chris

    Breakingcustom Technologies, LLC.
    Sophos Silver Solution Partner
    Sophos XG16.5 Certified Architect / Sophos UTM Network Engineer

  • 0 in reply to Breakingcustom

    Interesting, Chris!  I wonder what is different since I think that this works for my clients with "arpa" instead of "arpa." in the Request Route.  What test are you making to see whether reverse DNS is working - are you looking at the Executive Report?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    regarding the anserver from Breakingcustom an yours:

     

    in RFC is the dns trailing dot needed for  fully-qualified (unambiguous) DNS domain names. The . (dot) is the root of DNS. An example: community.sohos.com. is in fact a fully-qualified (unambiguous) DNS domain names for this community. It will "spell" root com sophos community.

     

    Best regads

     

    Georg

Unfiltered HTML