Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 5213 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Which DNS servers should the XG be pointing too?

Terry Bennett

For best performance and or best practice.

Under Network > DNS settings,

Should my XG firewall be pointing to my internal DNS servers or should it be pointing to my ISP provided DNS servers??   (Not withstanding anyones personal choices for their favorite DNS servers)

Right now I have my XG pointing to my internal DNS servers, which point to my ISP DNS.

 

What is the correct and or best practices?

 

 

Thanks in advance?

Terry



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    If you have a lot of your Internal servers or services running with local hostnames, I'd recommend using your Internal DNS servers for that. However, if you don't have many, you can use Public DNS servers of your choice and configure DNS Request Routing for the local hostnames.

    Sophos XG will use DNS servers to connect to its pattern updates or firmware update servers and Web categorization servers as well. If you have Pharming protection enabled in Web Protection, Sophos XG will use DNS even more. So if you don't have any exclusive requirements and don't want to burden your Internal DNS server, go with Public DNS servers.

  • 0 in reply to Jaydeep

    Thank you for the answer.

    I do have another reason for asking this.  I have only since inherited this network and it has been a long standing issue where for some unknown reasion, web browsing and email just stops responding for 35-60 seconds maybe 6 or 7 times a day, and then just comes back.

     

    Literally, if I just keep spamming the send receive button, or refresh on the browser, it eventually comes back, and then will work for hours before repeating.

     

    I have setup logging and pinging of my Providers Gateway.  The pings continue.  I have not been able to track this problem.  The network has two internal Domain Controllers running as Hyper-V VM's.  The network itself is small with only about 70 devices.

    T

  • 0 in reply to Terry Bennett

    If your clients are using the internal DC's DNS for resolution are the DC's pointing to Sophos XG for DNS resolution forwarding or are they point directly at pubic DNS servers??  If clients are using the DC's for DNS then check the Windows DNS forwarding Timeout value, its supposed to be between 2 and 10 seconds but I generally use 7 seconds.  Ive had issues before where even 1 second change resolved the problem you need to find the sweet spot.  If its not around the 7 & 8 sec mark then set it to 7 seconds and see if that helps??

  • 0 in reply to john_kenny

    Where is that Windows DNS forwarding Timeout value kept??

     

    Thx

  • 0 in reply to Terry Bennett

    See here, GUI section is where i generally set it. Step 4 at the bottom of the window where the Forwarders are added:

    https://www.server-world.info/en/note?os=Windows_Server_2019&p=dns&f=10

    Also it should have been forwarder rather than forwarding my mistake sorry.

    Like i mentioned i like to use 7 secs but test it at that your self then alter as needed.  Remember to flush the DNS Caches on the server and clients each time, this will clear out any cached records so the results are not skewed when you test.

  • 0 in reply to john_kenny

    ah, forwarders......No problems.  Got it .

    I have set it to 7 on both my my DC's.  Will see how things go from there.

     

    Thx for the help

    Terry

  • 0 in reply to Terry Bennett

    Nice, let me know how you get on.  id be interested to find out, also i might have some other suggestions if this doesn't make any difference.

    Also DNS Bench from GRC.com is a nice tool to test out DNS resolutions probs, if you run it on the DC's where your DNS roles are running you can normally see the root hints go up the rankings in the tool if your forwarders are not set right.

    https://www.grc.com/dns/benchmark.htm

    I realise this sounds a simple thing to try but it surprised me how much difference 1 second made on the DNS forwarders query timeouts.

    Also you may want to know this.  I always have XG as the edge dns forwarder with clients and servers pointing to either XG or the internal DNS servers with those to pointing to XG at a minimum, I generally never like to let internal DNS lookups go direct as a rule as its way too vulnerable in my book (Im still waiting for Sophos to add DoH and DoT to Sophos XG). 

Reply
  • 0 in reply to Terry Bennett

    Nice, let me know how you get on.  id be interested to find out, also i might have some other suggestions if this doesn't make any difference.

    Also DNS Bench from GRC.com is a nice tool to test out DNS resolutions probs, if you run it on the DC's where your DNS roles are running you can normally see the root hints go up the rankings in the tool if your forwarders are not set right.

    https://www.grc.com/dns/benchmark.htm

    I realise this sounds a simple thing to try but it surprised me how much difference 1 second made on the DNS forwarders query timeouts.

    Also you may want to know this.  I always have XG as the edge dns forwarder with clients and servers pointing to either XG or the internal DNS servers with those to pointing to XG at a minimum, I generally never like to let internal DNS lookups go direct as a rule as its way too vulnerable in my book (Im still waiting for Sophos to add DoH and DoT to Sophos XG). 

Children
No Data