For best performance and or best practice.
Under Network > DNS settings,
Should my XG firewall be pointing to my internal DNS servers or should it be pointing to my ISP provided DNS servers?? (Not withstanding anyones personal choices for their favorite DNS servers)
Right now I have my XG pointing to my internal DNS servers, which point to my ISP DNS.
What is the correct and or best practices?
Thanks in advance?
Terry
If you have a lot of your Internal servers or services running with local hostnames, I'd recommend using your Internal DNS servers for that. However, if you don't have many, you can use Public DNS servers of your choice and configure DNS Request Routing for the local hostnames.
Sophos XG will use DNS servers to connect to its pattern updates or firmware update servers and Web categorization servers as well. If you have Pharming protection enabled in Web Protection, Sophos XG will use DNS even more. So if you don't have any exclusive requirements and don't want to burden your Internal DNS server, go with Public DNS servers.
Thank you for the answer.
I do have another reason for asking this. I have only since inherited this network and it has been a long standing issue where for some unknown reasion, web browsing and email just stops responding for 35-60 seconds maybe 6 or 7 times a day, and then just comes back.
Literally, if I just keep spamming the send receive button, or refresh on the browser, it eventually comes back, and then will work for hours before repeating.
I have setup logging and pinging of my Providers Gateway. The pings continue. I have not been able to track this problem. The network has two internal Domain Controllers running as Hyper-V VM's. The network itself is small with only about 70 devices.
T
If your clients are using the internal DC's DNS for resolution are the DC's pointing to Sophos XG for DNS resolution forwarding or are they point directly at pubic DNS servers?? If clients are using the DC's for DNS then check the Windows DNS forwarding Timeout value, its supposed to be between 2 and 10 seconds but I generally use 7 seconds. Ive had issues before where even 1 second change resolved the problem you need to find the sweet spot. If its not around the 7 & 8 sec mark then set it to 7 seconds and see if that helps??
Where is that Windows DNS forwarding Timeout value kept??
Thx
See here, GUI section is where i generally set it. Step 4 at the bottom of the window where the Forwarders are added:
https://www.server-world.info/en/note?os=Windows_Server_2019&p=dns&f=10
Also it should have been forwarder rather than forwarding my mistake sorry.
Like i mentioned i like to use 7 secs but test it at that your self then alter as needed. Remember to flush the DNS Caches on the server and clients each time, this will clear out any cached records so the results are not skewed when you test.
ah, forwarders......No problems. Got it .
I have set it to 7 on both my my DC's. Will see how things go from there.
Thx for the help
Terry
Nice, let me know how you get on. id be interested to find out, also i might have some other suggestions if this doesn't make any difference.
Also DNS Bench from GRC.com is a nice tool to test out DNS resolutions probs, if you run it on the DC's where your DNS roles are running you can normally see the root hints go up the rankings in the tool if your forwarders are not set right.
https://www.grc.com/dns/benchmark.htm
I realise this sounds a simple thing to try but it surprised me how much difference 1 second made on the DNS forwarders query timeouts.
Also you may want to know this. I always have XG as the edge dns forwarder with clients and servers pointing to either XG or the internal DNS servers with those to pointing to XG at a minimum, I generally never like to let internal DNS lookups go direct as a rule as its way too vulnerable in my book (Im still waiting for Sophos to add DoH and DoT to Sophos XG).
Choosing which DNS is like choosing a Bank vendor.
Basically all doing the same "storing your money" - but who do you trust with such data?
Its like here:
https://nakedsecurity.sophos.com/2019/09/10/mozilla-increases-browser-privacy-with-encrypted-dns/
https://nakedsecurity.sophos.com/2019/09/12/google-experiments-with-dns-over-http-in-chrome/
it still surprises me we still dont have DNS over TLS or HTTPs in XG yet, it seems to defeat the purpose of having an Edge DNS server with XG's DNS as it is now. At home I run either a browser with it in as those articles mention or my machine uses simple DNSCrypt, I was thinking about running Pi hole or Adguard Home indoors aswell. Ive kept waiting and waiting in the hopes Sophos would release DoT or DoH but its still not shown up. Im guessing its being left for V18 which I'll be looking to find when I get my hands on it when they finally decide to let Sophos Partners get hands on it....
it still surprises me we still dont have DNS over TLS or HTTPs in XG yet, it seems to defeat the purpose of having an Edge DNS server with XG's DNS as it is now. At home I run either a browser with it in as those articles mention or my machine uses simple DNSCrypt, I was thinking about running Pi hole or Adguard Home indoors aswell. Ive kept waiting and waiting in the hopes Sophos would release DoT or DoH but its still not shown up. Im guessing its being left for V18 which I'll be looking to find when I get my hands on it when they finally decide to let Sophos Partners get hands on it....
DNS over TLS / HTTPs is kinda a tricky story.
From security perspective, it is quite nice to have, but it is not easy to implement and what do you implement?
If you actually start with DNSsec, seems like you jumping on a dead track.
So personally speaking, i would wait until somebody figure out a way to actually have a better solution than DNS over TLS with those vendors, who actually overs it. (Or the standard is established in the market and "everybody is using it".)
Its like chrome / firefox now offers DNS over https but only with pre configured vendors.
So instead of increasing the privacy of the user, all firefox users are actually connecting only to one vendor.
Recommend the Podcast of NakedSecurity: https://nakedsecurity.sophos.com/2019/09/12/s2-ep8-facebook-leak-5m-ransoms-and-dns-controversy-naked-security-podcast/
Again personal speaking: I would prio other topics over DNS over TLS/HTTPs in XG right now and i would wait until one standard actually establish itself into the market.
DNSsec in UTM is rarely used - Maybe because of the actually above.
I see your points and agree for one there does need to be standardisation but for me I wanted security on DNS now not some time in the future. Ive know for a long time how insecure DNS is and have always tried to use DNSSEC where possible (or VPN's) but as you say DNSSEC is not easy to implement with very few providers offer it to clients so its now very rare to see. Im very glad to see Providers and Developers now offering DoH & DoT but again as you mentioned we will need standards otherwise it risks extinction or compatibility issues. If i was sophos i would release both options and let users choose, at least until both are ratified or something better comes along. As with anything they both have there pros and cons, but at least its more secure than what we have now which is a protocol that's been around since the internet started and that hasn't changed since. DNS is a protocol that is transmitted in plain text and is critical for the internet to work, either of these new offerings DoT & DoH are more private than today's DNS which is exactly why ISP's here in the UK are grumbling over them, I use both Chrome 78 and Firefox beta and its just like DNS now it can be set to whatever DNS resolver we choose. Ive also been using DoH in android 9 aswell for some time and thats never had any real problems.
Personally i want to try to increase my multilayered approach to security (thanks for the tip Sophos). Id like to be able to harden as much as i can do and DNS is now on my radarr. I see where your coming from and the topic of that article "do we need secure DNS" well along that line, to which id say yes why not.
I think DoH is most likely to stick as its easier to setup as an end user, DoT requires users to set a very long string for the value which is impossible to remember (i cant). Also DNScrypt for me was just the way to access these protocols now as both Windows and XG alike dont have the ability to set either yet.
Im closing my reply here as this isn't the right thread for this discussion.
Lastly I wanted to touch on what i said to Terry via PM, Personally I always have Sophos XG as my Perimeter DNS server with clients pointing to XG for DNS resolution or internal DNS servers i.e. DC's set with XG's IP as forwarder. That way XG alone handles traffic to external DNS servers for resolution, everything within the perimeter is then blocked for DNS traffic. Depending on availability i may set secondary DNS on internal DNS forwarders to a public forwarder but generally ill have multiple XG instances in fail-over so this situation isn't needed. DC's are not supposed to have any sort of internet access which includes DNS traffic which is why i set my DNS up this way (i realise this isnt always going to happen but if you can prevent DC's from accessing public servers then try to do so as much as possible).
JK
