This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SOLVED]DNS best practice?

There are two ways to configure DNS:

One way:
- Allowing DNS outgoing for your internal nameservers
- internal nameservers forwarding to ISP-DNS
- ASG pointing to internal nameservers 

Another way:
- ASG forwarding to ISP-nameservers
- "request routing" on ASG for internal domain pointing to internal nameservers
- internal nameservers forwarding to ASG
 
Which way do you use? And why? Which is "officially preferred"?
Both configurations seem working good for me, we run the first alternative on our cluster, the second in branch offices without internal dns (domain dns reachable via site2site-vpn).

Thanks for your ideas!
Thomas



BAlfson's DNS Best Practice's post has been moved to it's own highlighted thread here: https://community.sophos.com/utm-firewall/f/recommended-reads/122972/dns-best-practice
[edited by: FloSupport at 11:12 AM (GMT -7) on 18 Sep 2020]
Parents
  • An example:

    10.10.10.1 is the IP of the UTM's "Internal (Address)"
    10.10.10.3 is our domain controller that handles internal DNS

    In the UTM we have two Request Routes: 'mediasoft.local -> 10.10.10.3' and '10.10.10.in-addr.arpa -> 10.10.10.3'. The only entry in 'Forwarders' is an Availability Group containing 208.67.222.222 and 208.67.220.220.

    DHCP for the internal network is handled by the domain controller and it assigns four forwarders to the clients:
    1. 10.10.10.3
    2. 10.10.10.1
    3. 208.67.222.222
    4. 208.67.220.220

    DNS in the domain controller lists three forwarders:
    1. 10.10.10.1
    2. 208.67.222.222
    3. 208.67.220.220

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • An example:

    10.10.10.1 is the IP of the UTM's "Internal (Address)"
    10.10.10.3 is our domain controller that handles internal DNS

    In the UTM we have two Request Routes: 'mediasoft.local -> 10.10.10.3' and '10.10.10.in-addr.arpa -> 10.10.10.3'. The only entry in 'Forwarders' is an Availability Group containing 208.67.222.222 and 208.67.220.220.

    DHCP for the internal network is handled by the domain controller and it assigns four forwarders to the clients:
    1. 10.10.10.3
    2. 10.10.10.1
    3. 208.67.222.222
    4. 208.67.220.220

    DNS in the domain controller lists three forwarders:
    1. 10.10.10.1
    2. 208.67.222.222
    3. 208.67.220.220

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data