Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 30615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Best Practices for XG

Gerry Morley

Hi there, I'm a newbie to Sophos and had a quick read through the fourms to find out DNS Best Practices for XG Firewall. I found one for UTM but I presume the same advice applies to XG (request routing and all that).

One follow on question I had was - in the aim of avoiding users locally changing their local DNS IP settings, do you recommend as DNS best practice to setup a rule on the XG firewall to allow all tcp/udp on port 53 in/out to our external name servers and then have a rule below that says Block all tcp/udp in/out to all ip addresses on port 53?

Or is there a way for XG to simply forward' people's DNS requests (to your preferred external DNS providers) without them knowing, instead of having the possibility of someone manually configuring DNS and having it just not work.

Thanks

Gerry



This thread was automatically locked due to age.
  • 0

    Gerry,

    The best protection is to use XG as dns server, configure dns request routing and nothing else. Avoid to open udp port 53.

    Regards

  • 0 in reply to lferrara

    Thanks for the reply back. I will give this a go. I have an internal domain controller that is doing DNS but I will configure the XG as a forwarder and then setup request routing and see if that will work for what I need. I appreciate the reply and will revert back once I have tested it.

  • 0 in reply to lferrara

    Do you (or anyone) have instructions on setting up XG as a DNS server for your home network (for basic home internet use)? Does Sophos XG have anything like Unbound DNS found in pfSense or OPNsense?

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • +1 in reply to shred

    Hi Shred,

    you setup the the DNS on the XG 

    1/. in the network tab -> DNS you set  the XG to use DNS from PPPoE, Static or DHCP .

    2/. in the network -> DHCP tab you enter your internal interface in the Primary DNS field with use the Devices DNS settings not ticked.

    3/. in the administration tab ->you enable DNS acces in the ACL tab. local service ACL you enable DNS for wifi and LAN. I have enabled for WAN, but not sure if that is required. Something to check when there aren't any users.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks. Unchecking ‘Use the devices DNS settings’ in the DHCP server settings worked. As for the DNS option for WAN in Local Service ACL, I do not have that checked and it appears to be working fine. My understanding is that would enable DNS on the WAN zone, which I don’t think we would want except for maybe some very specific/unique setups.

    Do you or anyone know what Sophos XG uses for its DNS functionality? Is it Unbound DNS or something similar? Whatever it is, does it do DNS caching? I can’t seem to find any good information on the DNS server functionality in Sophos XG.

    Lastly, if I’m running multiple VLANs with a separate DHCP server for each, is it better to set each DHCP server to the interface IP for that VLAN or should I just set them to all of the same? For example, I have VLAN 1 (172.16.16.16) and VLAN 2 (172.16.17.17), each with their own DHCP server. I have VLAN 1’s DHCP server set to 172.16.16.16. Should VLAN 2’s DHCP server be set to 172.16.17.17 or 172.16.16.16? Or does it not matter?

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • 0 in reply to shred

    I do not know the DNS version on the XG. It does not appear to be a caching server, so faster internet access the better responses. I have my VLANs using their own default gateway as the DNS. I suspect but have never tried in theory you should provide inter LAN firewalls rule to use other internal interfaces as DNS. 

    If you know your linux commands you should be able to find out using the CLI?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML