Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 5212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Which DNS servers should the XG be pointing too?

Terry Bennett

For best performance and or best practice.

Under Network > DNS settings,

Should my XG firewall be pointing to my internal DNS servers or should it be pointing to my ISP provided DNS servers??   (Not withstanding anyones personal choices for their favorite DNS servers)

Right now I have my XG pointing to my internal DNS servers, which point to my ISP DNS.

 

What is the correct and or best practices?

 

 

Thanks in advance?

Terry



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    I see your points and agree for one there does need to be standardisation but for me I wanted security on DNS now not some time in the future.  Ive know for a long time how insecure DNS is and have always tried to use DNSSEC where possible (or VPN's) but as you say DNSSEC is not easy to implement with very few providers offer it to clients so its now very rare to see.  Im very glad to see Providers and Developers now offering DoH & DoT but again as you mentioned we will need standards otherwise it risks extinction or compatibility issues.  If i was sophos i would release both options and let users choose, at least until both are ratified or something better comes along. As with anything they both have there pros and cons, but at least its more secure than what we have now which is a protocol that's been around since the internet started and that hasn't changed since.  DNS is a protocol that is transmitted in plain text and is critical for the internet to work, either of these new offerings DoT & DoH are more private than today's DNS which is exactly why ISP's here in the UK are grumbling over them, I use both Chrome 78 and Firefox beta and its just like DNS now it can be set to whatever DNS resolver we choose.  Ive also been using DoH in android 9 aswell for some time and thats never had any real problems.

    Personally i want to try to increase my multilayered approach to security (thanks for the tip Sophos). Id like to be able to harden as much as i can do and DNS is now on my radarr.  I see where your coming from and the topic of that article "do we need secure DNS" well along that line, to which id say yes why not.

    I think DoH is most likely to stick as its easier to setup as an end user, DoT requires users to set a very long string for the value which is impossible to remember (i cant).  Also DNScrypt for me was just the way to access these protocols now as both Windows and XG alike dont have the ability to set either yet. 

    Im closing my reply here as this isn't the right thread for this discussion.

    Lastly I wanted to touch on what i said to Terry via PM, Personally I always have Sophos XG as my Perimeter DNS server with clients pointing to XG for DNS resolution or internal DNS servers i.e. DC's set with XG's IP as forwarder.  That way XG alone handles traffic to external DNS servers for resolution, everything within the perimeter is then blocked for DNS traffic.  Depending on availability i may set secondary DNS on internal DNS forwarders to a public forwarder but generally ill have multiple XG instances in fail-over so this situation isn't needed.  DC's are not supposed to have any sort of internet access which includes DNS traffic which is why i set my DNS up this way (i realise this isnt always going to happen but if you can prevent DC's from accessing public servers then try to do so as much as possible).

    JK