DNS best practice

DNS Best Practice

You might have seen the model we use as I've described it in many places here:

  1. The 'Global' tab of 'Network Services >> DNS' lists "Internal (Network)" (also other internal networks, like "DMZ (Network)" and any "VPN Pool" if applicable) as 'Allowed networks'.
  2. On the 'Forwarders' tab, if you use or plan to use the SMTP Proxy, use an Availability Group containing the OpenDNS or Google (8.8.4.4 first, for speed) name servers in 'DNS Forwarders' (if using any spamhaus.org RBLs with the SMTP Proxy, don't use Google DNS). 'Use forwarders assigned by ISP' is not checked.*
    1. If the SMTP Proxy is not to be a part of your setup, don't add anything in 'DNS Forwarders' and do select 'Use forwarders assigned by ISP'.  See the Change Log below concerning CDNs.
    2. Alternatively, if you're using a Microsoft CDN like Office365, do use the Availability Group approach above and add a Request Route for office365.com pointing at your ISP's name server.
  3. In 'Request Routing', the internal DNS is used for reverse DNS of internal IPs (for example if your internal subnet is 172.16.20.0/24, you would have "20.16.172.in-addr.arpa" in the 'Domain' field and your internal DNS server(s) in 'Target Servers'. With that, the UTM can list machine names instead of internal IP addresses in the reports.
  4. Also, in 'Request Routing', so the UTM can resolve internal FQDNs, add, for example 'yourdomain.loc -> {internal DNS server}'. Do the same for other domains for which you have Forward Lookup Zones in your internal DNS server.
  5. Configure Windows Server (or other) DHCP server for internal devices to point at your internal name server for DNS, then the UTM, then the OpenDNS or Google servers.
  6. The internal DNS server's first forwarder is to the UTM's DNS Proxy, then to the OpenDNS or Google servers.
  7. If you consistently have "connection to server timed out" issues and ECN is not selected ('Advanced' tab of 'QoS'), empty 'Allowed networks' in #1, configure the internal DNS server to bypass the UTM in #6. I suspect this is caused by a problem at the ISP.
  8. In Transparent mode Web Filtering, the client browser resolves FQDNs.  When Pharming Protection is enabled at the bottom of the 'Misc' tab, the Proxy will block a request with "Host Not Found" if it cannot resolve the FQDN to an IP.  If disabling Pharming Protection eliminates such blocks for you, then you have not followed #1 through #7.

We used to do it the other way, but comments by BarryG, BruceKConvergent and others convinced me to change our approach.

Cheers - Bob
* Caution: unchecking 'Use forwarders assigned by ISP' and failing to populate 'DNS Forwarders' will result in degraded performance as the ASG/UTM will fall back to the Root Name Servers.

Change Log: 2020-02-14 Based on a post by wolfman1, I added a warning in 2. about using Google if spamhaus.org is one of the RBLs used in the SMTP Proxy; 2017-11-13 Added 2.a and 2.b based on further info in Alex Busch's thread; 2017-11-12 Added the caveat to #2 about the SMTP Proxy because of Alex Busch's comments about Content Delivery Networks (CDNs); 2017-08-02 added #8 based on a comment by Sophos' Michael Dunn; 2017-06-09 added "VPN Pool" to #1; 2017-04-08 made #3 clearer based on a question by jlbrown also added "or Google" to #5 & #6; 2017-02-12 added 8.8.4.4 comment to #2 based on a comment here by rfcat_vk; 2017-01-14 added "in the 'Domain' field" in #3; 2015-09-25 In #7 corrected #5 to #6; 2015-09-24 changed Astaro to UTM and added #7 based on comments by vilic in DNS issue?; 2015-06-22 based on a thread by TCF, I improved the wording in #1, #2 & #4; 2015-06-20 changed from .local to .loc as reminded by bimmerdriver; 2015-03-20 Added title; 2014-10-04 DHCP and internal FQDNs; 2013-10-09 Added Availability Group idea from adrienjb in #2; 2013-02-04 reordered; 2012-08-20 Added "* Caution" note for #2 based on a suggestion by BarryG



Tags
[edited by: FloSupport at 11:06 AM (GMT -7) on 18 Sep 2020]
  • What is the opinion on using the UTM as first and a DC as second DNS on the clients (via DHCP)?

    My reason for that is the reporting behavior of the IPS.

    So you get more load for DNS at the UTM but you don't need debug logging on your Windows DNS for identifying a client. Debug logging will lessen the performance too. Because IPS tells you only a suspicious DNS request came from a DC IP. So should the best practice not be to use the UTM DNS in first place?

    I use it that way and doesn't see any disadvantage till now.

    Best regards

    Alex

    -

  • The reason to have DHCP pass out DNS as (DC, UTM, External) is the unlikely situation where both the DC and the UTM are taken out.  Assuming that such a catastrophe didn't also take out the ISP's connection and the clients, a direct connection would allow clients with cloud-based activities to continue working.  Definitely a belt-and-suspenders approach.[;)]

    I haven't personally tried using root hints instead of forwarders, Kevin, so I can't comment on that.  I wouldn't be surprised that the results are close, especially for FQDNs that are rarely used.

    Somewhere in this thread, someone suggested a technique for finding the fastest name server available to a particular connection.  It just seems like Google and OpenDNS are so fast that it's not worth worrying about things like this any more.  Although the post says OpenDNS, I also personally began using Google (with 8.8.4.4 first in the Availability Group since it's less-used) because OpenDNS didn't support DNSSEC - I don't know if that's still the case.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • How should the DNS config be in distributed setups?

    E.g. a company has 3 sites with own local DNS-servers and VPN is configured to tunnel the whole traffic. Should every DC/DNS has the UTM as forwarding target configured as this setting is not replicated via Active Directory or should the chain be site-DNS -> central-DNS -> Sophos-DNS?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • That's how I would do it, Kevin, but with the sites falling back to the Sophos if the central-DNS is unavailable.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    DNS Best Practice

    You might have seen the model we use as I've described it in many places here:

    1. ...
    2. On the 'Forwarders' tab, use an Availability Group containing the OpenDNS or Google (8.8.4.4 first, for speed) name servers in 'DNS Forwarders'. 'Use forwarders assigned by ISP' is not checked.*
      ....

    As not everyone here is located in the US, if the UTM uses OpenDNS or GoogleDNS as forwarders, things like geolocation via DNS aren't working anymore. So a lot of CDN and Office365 may perform not in perfect condition.

    I think one should keep that in mind for best practices.

    Best

    Alex

    -

  • Could you expand on that, Alex?  Some ISPs hijack DNS and that interferes with RBL lookups, hence the preference for OpenDNS and Google and de-selecting 'Use forwarders assigned by ISP'.

    If one were to use Request Routing for these CDNs and Office365, what domains or FQDNs would one want to direct to one's ISP's name servers?  If you wanted to start and maintain a post in a thread named something like DNS Best Practice and CDNs, Office365, etc., I would link to it from the Best Practice post I maintain at the top of this thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Alexander Busch said:

     

     
    BAlfson

    DNS Best Practice

    You might have seen the model we use as I've described it in many places here:

    1. ...
    2. On the 'Forwarders' tab, use an Availability Group containing the OpenDNS or Google (8.8.4.4 first, for speed) name servers in 'DNS Forwarders'. 'Use forwarders assigned by ISP' is not checked.*
      ....

     

     

    As not everyone here is located in the US, if the UTM uses OpenDNS or GoogleDNS as forwarders, things like geolocation via DNS aren't working anymore. So a lot of CDN and Office365 may perform not in perfect condition.

    I think one should keep that in mind for best practices.

    Best

    Alex

     

     

    Not a problem; I live in Europe and have used both Google and OpenDNS as forwarders for a long time. I still get geolocation sites directed to European datacenters and also while using those I cannot watch the American Netflix series. Most geolocation works based on you own IP-address, so unless you start using VPN's or other masquerading technology to hide your public IP, its not a problem.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hey Bob,

    BAlfson said:

    Could you expand on that, Alex?  Some ISPs hijack DNS and that interferes with RBL lookups, hence the preference for OpenDNS and Google and de-selecting 'Use forwarders assigned by ISP'.
    ...

     

    I totally agree with you that there are probably more problems with providers' DNS servers than Google or OpenDNS. Root hints are too slow. As already mentioned, there will probably be problems in connection with Office 365, because the function of the DNS geolocation cannot work properly.
    Essentially, it is about the provider operating a large network itself (MGN - Microsoft Global Network) and trying to connect the client to an access point with low latency. Of course, the geographical distance is important for this. Therefore, the resolution of a certain address e. g. outlook. office365. com to different targets, depending on the geographical position. If the DNS server is Google, for example, I will probably get an access point near the Google DNS servers, although I am in Germany myself.
    This is a short summary
    There are certainly better explanations. You can find one here.
    In any case, this would be a point that speaks in favour of performing the DNS resolution as locally (provider) as possible.
    I do not know now whether there are indeed measures that Google is also taking to counteract this. 

    BAlfson said:

    ...

    If one were to use Request Routing for these CDNs and Office365, what domains or FQDNs would one want to direct to one's ISP's name servers?  If you wanted to start and maintain a post in a thread named something like DNS Best Practice and CDNs, Office365, etc., I would link to it from the Best Practice post I maintain at the top of this thread.

    I don't think I'm quite ready to contribute enough. Currently I don't even use Office365 productively: -)
    But I thought there might be people here who already have experience with it.
    But in the future I will gladly come back to your offer.

    Best
    Alex

    -

  • Brilliant, Alex!  You appear to be the first to have had this insight. 

    I'll change the Best Practice post based on this discussion.

    I've also added a suggestion for a new feature: DNS Forwarders - allow a separate selection for Mail Protection.  If anyone sees this, please click on the link to vote for and comment on the idea to help make it more visible to Sophos.

    Here's the kind of Request Route I imagined:

    Perhaps you could start your thread by testing the difference this might make with a CDN that you use.  First, measure throughput and latency with OpenDNS as your Forwarder.  Then, create a Request Route so that you get name resolution from a server near you and test again.  Invite others to post their suggestions for other domains and edit your post to include their suggestions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That's what I thought, Arno, but my research confirms Alex' description.  I wonder if your experience is just a reflection of the improvement in the throughput over the backbone of the Internet or if some CDNs do redirects based on geoip as we assumed.

    Your experience with Netflix is also very interesting.  Could you expand on that a bit?  Maybe including samples from your Web Filtering log when using your ISP's DNS instead of OpenDNS/Google?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA