DNS Best Practice
You might have seen the model we use as I've described it in many places here:
We used to do it the other way, but comments by BarryG, BruceKConvergent and others convinced me to change our approach.Cheers - Bob* Caution: unchecking 'Use forwarders assigned by ISP' and failing to populate 'DNS Forwarders' will result in degraded performance as the ASG/UTM will fall back to the Root Name Servers.Change Log: 2020-02-14 Based on a post by wolfman1, I added a warning in 2. about using Google if spamhaus.org is one of the RBLs used in the SMTP Proxy; 2017-11-13 Added 2.a and 2.b based on further info in Alex Busch's thread; 2017-11-12 Added the caveat to #2 about the SMTP Proxy because of Alex Busch's comments about Content Delivery Networks (CDNs); 2017-08-02 added #8 based on a comment by Sophos' Michael Dunn; 2017-06-09 added "VPN Pool" to #1; 2017-04-08 made #3 clearer based on a question by jlbrown also added "or Google" to #5 & #6; 2017-02-12 added 188.8.131.52 comment to #2 based on a comment here by rfcat_vk; 2017-01-14 added "in the 'Domain' field" in #3; 2015-09-25 In #7 corrected #5 to #6; 2015-09-24 changed Astaro to UTM and added #7 based on comments by vilic in DNS issue?; 2015-06-22 based on a thread by TCF, I improved the wording in #1, #2 & #4; 2015-06-20 changed from .local to .loc as reminded by bimmerdriver; 2015-03-20 Added title; 2014-10-04 DHCP and internal FQDNs; 2013-10-09 Added Availability Group idea from adrienjb in #2; 2013-02-04 reordered; 2012-08-20 Added "* Caution" note for #2 based on a suggestion by BarryG
I know this is an old thread but I wanted to ask a question anyway. At this link, https://community.sophos.com/kb/en-us/120283, the first thing to do is add "Allowed Networks". Its states:
All of my clients use our Internal DNS servers for requests, so I would pick the option to add my DNS Servers to the allowed networks list. But in your comment above, you are only entering internal networks. Which would be better? I understand the rest of this but the first part confused me.
The reason for that, David, is to create a faster, more-robust name resolution scheme. If the DC is running, it will have the quickest answer. If the DC is down, the clients will get their next-fastest response from the UTM. If both the DC and the UTM are failing to provide name resolution, the clients will query the OpenDNS or Google name server(s).
Cheers - Bob
Hmm, in most cases, domain-joined clients will ask their DC, which in most cases will often be their DHCP server as well.If the DC is down - even if I had given the UTM as 2nd DNS server in DHCP options - I'll normally have bigger problems than people not being able to surf... :D
And if the UTM in your constellation is also down, how do the people connect to the internet then or how do they connect to any external dns server?In most cases an UTM will be the (only) gateway in the network, maybe the 1st/only or 2nd dns server and if 1st it will be serving DHCP, too.
What I was wondering... we (my company) are configuring new windows dns servers regularly to allways and ever use the root servers only. Often we do not get any dns servers from the ISPs with the static IP configuration and in the rare times we had forwarded to 184.108.40.206 and 220.127.116.11 DNS requests weren't noticeably faster than using only the root servers. What are your experiences with that Bob?
Gruß / Regards,
KevinSophos CE/CA (XG+UTM), Gold Partner
What is the opinion on using the UTM as first and a DC as second DNS on the clients (via DHCP)?
My reason for that is the reporting behavior of the IPS.
So you get more load for DNS at the UTM but you don't need debug logging on your Windows DNS for identifying a client. Debug logging will lessen the performance too. Because IPS tells you only a suspicious DNS request came from a DC IP. So should the best practice not be to use the UTM DNS in first place?
I use it that way and doesn't see any disadvantage till now.
The reason to have DHCP pass out DNS as (DC, UTM, External) is the unlikely situation where both the DC and the UTM are taken out. Assuming that such a catastrophe didn't also take out the ISP's connection and the clients, a direct connection would allow clients with cloud-based activities to continue working. Definitely a belt-and-suspenders approach.[;)]
I haven't personally tried using root hints instead of forwarders, Kevin, so I can't comment on that. I wouldn't be surprised that the results are close, especially for FQDNs that are rarely used.
Somewhere in this thread, someone suggested a technique for finding the fastest name server available to a particular connection. It just seems like Google and OpenDNS are so fast that it's not worth worrying about things like this any more. Although the post says OpenDNS, I also personally began using Google (with 18.104.22.168 first in the Availability Group since it's less-used) because OpenDNS didn't support DNSSEC - I don't know if that's still the case.
How should the DNS config be in distributed setups?
E.g. a company has 3 sites with own local DNS-servers and VPN is configured to tunnel the whole traffic. Should every DC/DNS has the UTM as forwarding target configured as this setting is not replicated via Active Directory or should the chain be site-DNS -> central-DNS -> Sophos-DNS?
That's how I would do it, Kevin, but with the sites falling back to the Sophos if the central-DNS is unavailable.