DNS best practice

DNS Best Practice

You might have seen the model we use as I've described it in many places here:

  1. The 'Global' tab of 'Network Services >> DNS' lists "Internal (Network)" (also other internal networks, like "DMZ (Network)" and any "VPN Pool" if applicable) as 'Allowed networks'.
  2. On the 'Forwarders' tab, if you use or plan to use the SMTP Proxy, use an Availability Group containing the OpenDNS or Google (8.8.4.4 first, for speed) name servers in 'DNS Forwarders' (if using any spamhaus.org RBLs with the SMTP Proxy, don't use Google DNS). 'Use forwarders assigned by ISP' is not checked.*
    1. If the SMTP Proxy is not to be a part of your setup, don't add anything in 'DNS Forwarders' and do select 'Use forwarders assigned by ISP'.  See the Change Log below concerning CDNs.
    2. Alternatively, if you're using a Microsoft CDN like Office365, do use the Availability Group approach above and add a Request Route for office365.com pointing at your ISP's name server.
  3. In 'Request Routing', the internal DNS is used for reverse DNS of internal IPs (for example if your internal subnet is 172.16.20.0/24, you would have "20.16.172.in-addr.arpa" in the 'Domain' field and your internal DNS server(s) in 'Target Servers'. With that, the UTM can list machine names instead of internal IP addresses in the reports.
  4. Also, in 'Request Routing', so the UTM can resolve internal FQDNs, add, for example 'yourdomain.loc -> {internal DNS server}'. Do the same for other domains for which you have Forward Lookup Zones in your internal DNS server.
  5. Configure Windows Server (or other) DHCP server for internal devices to point at your internal name server for DNS, then the UTM, then the OpenDNS or Google servers.
  6. The internal DNS server's first forwarder is to the UTM's DNS Proxy, then to the OpenDNS or Google servers.
  7. If you consistently have "connection to server timed out" issues and ECN is not selected ('Advanced' tab of 'QoS'), empty 'Allowed networks' in #1, configure the internal DNS server to bypass the UTM in #6. I suspect this is caused by a problem at the ISP.
  8. In Transparent mode Web Filtering, the client browser resolves FQDNs.  When Pharming Protection is enabled at the bottom of the 'Misc' tab, the Proxy will block a request with "Host Not Found" if it cannot resolve the FQDN to an IP.  If disabling Pharming Protection eliminates such blocks for you, then you have not followed #1 through #7.

We used to do it the other way, but comments by BarryG, BruceKConvergent and others convinced me to change our approach.

Cheers - Bob
* Caution: unchecking 'Use forwarders assigned by ISP' and failing to populate 'DNS Forwarders' will result in degraded performance as the ASG/UTM will fall back to the Root Name Servers.

Change Log: 2020-02-14 Based on a post by wolfman1, I added a warning in 2. about using Google if spamhaus.org is one of the RBLs used in the SMTP Proxy; 2017-11-13 Added 2.a and 2.b based on further info in Alex Busch's thread; 2017-11-12 Added the caveat to #2 about the SMTP Proxy because of Alex Busch's comments about Content Delivery Networks (CDNs); 2017-08-02 added #8 based on a comment by Sophos' Michael Dunn; 2017-06-09 added "VPN Pool" to #1; 2017-04-08 made #3 clearer based on a question by jlbrown also added "or Google" to #5 & #6; 2017-02-12 added 8.8.4.4 comment to #2 based on a comment here by rfcat_vk; 2017-01-14 added "in the 'Domain' field" in #3; 2015-09-25 In #7 corrected #5 to #6; 2015-09-24 changed Astaro to UTM and added #7 based on comments by vilic in DNS issue?; 2015-06-22 based on a thread by TCF, I improved the wording in #1, #2 & #4; 2015-06-20 changed from .local to .loc as reminded by bimmerdriver; 2015-03-20 Added title; 2014-10-04 DHCP and internal FQDNs; 2013-10-09 Added Availability Group idea from adrienjb in #2; 2013-02-04 reordered; 2012-08-20 Added "* Caution" note for #2 based on a suggestion by BarryG



Tags
[edited by: FloSupport at 11:06 AM (GMT -7) on 18 Sep 2020]
Parents
  • BAlfson said:

    DNS Best Practice

    You might have seen the model we use as I've described it in many places here:

    1. ...
    2. On the 'Forwarders' tab, use an Availability Group containing the OpenDNS or Google (8.8.4.4 first, for speed) name servers in 'DNS Forwarders'. 'Use forwarders assigned by ISP' is not checked.*
      ....

    As not everyone here is located in the US, if the UTM uses OpenDNS or GoogleDNS as forwarders, things like geolocation via DNS aren't working anymore. So a lot of CDN and Office365 may perform not in perfect condition.

    I think one should keep that in mind for best practices.

    Best

    Alex

    -

  • Could you expand on that, Alex?  Some ISPs hijack DNS and that interferes with RBL lookups, hence the preference for OpenDNS and Google and de-selecting 'Use forwarders assigned by ISP'.

    If one were to use Request Routing for these CDNs and Office365, what domains or FQDNs would one want to direct to one's ISP's name servers?  If you wanted to start and maintain a post in a thread named something like DNS Best Practice and CDNs, Office365, etc., I would link to it from the Best Practice post I maintain at the top of this thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    BAlfson said:

    Could you expand on that, Alex?  Some ISPs hijack DNS and that interferes with RBL lookups, hence the preference for OpenDNS and Google and de-selecting 'Use forwarders assigned by ISP'.
    ...

     

    I totally agree with you that there are probably more problems with providers' DNS servers than Google or OpenDNS. Root hints are too slow. As already mentioned, there will probably be problems in connection with Office 365, because the function of the DNS geolocation cannot work properly.
    Essentially, it is about the provider operating a large network itself (MGN - Microsoft Global Network) and trying to connect the client to an access point with low latency. Of course, the geographical distance is important for this. Therefore, the resolution of a certain address e. g. outlook. office365. com to different targets, depending on the geographical position. If the DNS server is Google, for example, I will probably get an access point near the Google DNS servers, although I am in Germany myself.
    This is a short summary
    There are certainly better explanations. You can find one here.
    In any case, this would be a point that speaks in favour of performing the DNS resolution as locally (provider) as possible.
    I do not know now whether there are indeed measures that Google is also taking to counteract this. 

    BAlfson said:

    ...

    If one were to use Request Routing for these CDNs and Office365, what domains or FQDNs would one want to direct to one's ISP's name servers?  If you wanted to start and maintain a post in a thread named something like DNS Best Practice and CDNs, Office365, etc., I would link to it from the Best Practice post I maintain at the top of this thread.

    I don't think I'm quite ready to contribute enough. Currently I don't even use Office365 productively: -)
    But I thought there might be people here who already have experience with it.
    But in the future I will gladly come back to your offer.

    Best
    Alex

    -

  • Brilliant, Alex!  You appear to be the first to have had this insight. 

    I'll change the Best Practice post based on this discussion.

    I've also added a suggestion for a new feature: DNS Forwarders - allow a separate selection for Mail Protection.  If anyone sees this, please click on the link to vote for and comment on the idea to help make it more visible to Sophos.

    Here's the kind of Request Route I imagined:

    Perhaps you could start your thread by testing the difference this might make with a CDN that you use.  First, measure throughput and latency with OpenDNS as your Forwarder.  Then, create a Request Route so that you get name resolution from a server near you and test again.  Invite others to post their suggestions for other domains and edit your post to include their suggestions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Brilliant, Alex!  You appear to be the first to have had this insight. 

    I'll change the Best Practice post based on this discussion.

    I've also added a suggestion for a new feature: DNS Forwarders - allow a separate selection for Mail Protection.  If anyone sees this, please click on the link to vote for and comment on the idea to help make it more visible to Sophos.

    Here's the kind of Request Route I imagined:

    Perhaps you could start your thread by testing the difference this might make with a CDN that you use.  First, measure throughput and latency with OpenDNS as your Forwarder.  Then, create a Request Route so that you get name resolution from a server near you and test again.  Invite others to post their suggestions for other domains and edit your post to include their suggestions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data