DNS Configuration on the Sophos UTM


To totally unlock this section you need to Log-in


Login

Solid DNS performance is integral to achieving maximum performance with your UTM. It is therefore important to optimize the DNS resolution process. This article provides a set of general guidelines for configuring DNS on the Sophos UTM to provide fast, reliable and redundant DNS services. This will also enable internal resolution of hostnames for the UTM Web Reports.

The steps below are suggestions for a generic setup and as such your company or network requirements may differ from these examples.

These suggested best practices provide the following benefits:

  • DNS requests for users are cached both on the AD DNS server and the UTM, improving DNS performance.
  • By pointing your AD DNS server to the UTM, you will protect your internal DNS servers from DNS Poisoning.
  • If you assign the AD DNS server as the Primary DNS and the UTM as the Secondary DNS for your workstations, you provide DNS redundancy for your workstations.
  • Creating an internal DNS Request Route with a PTR will allow the UTM to generate hostnames instead of IP addresses in the Web Proxy and other reports.

DNS Configuration on the Sophos UTM

DNS allowed networks

  • Browse to: Network Services | DNS | Global
  • Depending on network configuration either add: Your internal networks if clients use UTM as DNS server or your DNS servers if clients use an internal DNS server for DNS requests.

DNS availability group

  • Browse to: Definitions & Users | Network Definitions | New network definition
  • Configure 2 separate network definitions with the following properties Name: Google DNS 1 & Google DNS 2
  • Type: Host
  • IPv4 Addresses: 8.8.8.8 & 8.8.4.4
  • Browse to: Definitions & Users | Network Definitions | New network definition
  • Configure the definition as follows with name: Google DNS Servers
  • Type: Availability Group
  • Members: Google DNS 1 and Google DNS 2

DNS forwarders

  • Browse to: Network Services | DNS | Forwarders
  • Select the option 'Use forwarders assigned by ISP'
  • Remove any internal DNS servers from this list
  • Add the availability group 'Google DNS Servers' created earlier
  • Apply changes

Request routing

  • Browse to: Network Services | DNS | Request Routing
  • Select: New DNS request route'
  • Configure rule as follows Domain: [Your domain]
  • Target Servers: [Your internal DNS server]

Note: If this is a multi-domain environment you may need to configure multiple request routes.

Reverse DNS

With this PTR request route the UTM can list machine names instead of internal IP addresses in the reports.

  • Browse to: Network Services | DNS | Request Routing
  • Select 'New DNS request route'
  • Configure the rule as follows: Domain: [PTR record for your network]
  • Target Servers: [Your internal DNS server]

Note: An example PTR record for an address range of '172.16.20.0/24' would be 20.16.172.in-addr.arpa.

Other note: this will only list machine names if you have PTR records for those hosts configured on your DNS server.

Network Configuration

Although not required if the above options have been configured, you may want to consider setting your workstations to use your internal DNS server as their DNS server rather than the UTM. You must then in turn make sure the UTM is configured as a forwarder on your internal DNS server.

The result of this would be internal DNS requests would go directly to the DNS server rather than being relayed via the UTM. The tradeoff is external DNS requests would now have to be relayed via your internal DNS server to the UTM.