Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 3056 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Setup in AD/DNS Environment Help

SophosStorm

Can anyone tell me if  I have setup the XG firewall for proper DNS resolution within a company with a local AD/DNS server and staff who utilize SSL-VPN and Outlook email remotely.

 

I do on occasion have issues trying to RDP through SSL-VPN to client stations, and sometimes have to grab their IP to make the connection, the name just fails to resolve. Currently under Network->DNS, I have set the IP address of our local DNS server under Static DNS->DNS1 and have some opendns IP's under DNS2, DNS3. I don't have any DNS Host Entries and no DNS Routes. My SSL-VPN users do on occasion do have some issues accessing shares and our email sometimes stumbles so I'm trying to revisit these issues since we have so many more staff working remotely during this time.

Our local AD server is our main DNS but I'm asking the experts here what they would they recommend is the best, secure way to ensure I have the XG firewall configured correctly, just because everything seems to work doesn't mean its optimal.

 

Thank you for your advice.



This thread was automatically locked due to age.
Parents
  • 0

    I have my XG DNS pointing to my DCs which also do DNS

     

    Generally all my LANs use my internal DC DNS 

  • 0 in reply to M8ey

    Are you basically setup the same as well, or are you running any DNS Host/route entries as well?

  • FormerMember
    0 FormerMember in reply to SophosStorm

    Hi,

    I would suggest to use the internal DNS server for the SSL VPN users. 

    In the below example network, configure 192.168.100.200 as the DNS server for SSL VPN along with the internal domain name to make sure SSL VPN users could resolve internal server names correctly.

    It will require a VPN to LAN firewall rule for DNS traffic  

  • 0 in reply to FormerMember

    Thank you, now how would the Network -> DNS setup look like? Would you have it set to get DNS from either DHCP or PPPoe and then have a DNS Route entry to the local DNS server?

  • 0 in reply to FormerMember

    My VPN settings are represented the way you have shown, I have nothing in Secondary, however so unclear if your 1.1.1.1 is just ficticious. I do have a SSL VPN rule already that has all services allowed.  As I say everything currently does work but it stumbles at times resolving DNS but I'm wondering if Network -> DNS isn't 100%. Thanks

  • FormerMember
    0 FormerMember in reply to SophosStorm

    Hi,

    The 1.1.1.1 is a public DNS server, like 8.8.8.8, I just put it as an alternative of the internal DNS server.

    In Network -> DNS, you could also use your internal DNS server along with a public DNS server, like 192.168.111.200 and 1.1.1.1. And Obtain DNS server is also fine, but it will only get public DNS servers. 

    The DNS configuration on XG is for the DNS service on XG only, it serves the DNS request from XG itself, like firmware update, and the DNS request sent to XG, like when LAN users use XG LAN interface IP address as DNS server.

     

    When the DNS stops working for SSL VPN user, it would need to be checked more on the connectivity between the SSL VPN users and DNS server. You can use Diagnostics - Tools - Name lookup and Diagnostics - Packet Capture to test the DNS server and check the DNS traffic between SSL VPN user and DNS server.

Reply
  • FormerMember
    0 FormerMember in reply to SophosStorm

    Hi,

    The 1.1.1.1 is a public DNS server, like 8.8.8.8, I just put it as an alternative of the internal DNS server.

    In Network -> DNS, you could also use your internal DNS server along with a public DNS server, like 192.168.111.200 and 1.1.1.1. And Obtain DNS server is also fine, but it will only get public DNS servers. 

    The DNS configuration on XG is for the DNS service on XG only, it serves the DNS request from XG itself, like firmware update, and the DNS request sent to XG, like when LAN users use XG LAN interface IP address as DNS server.

     

    When the DNS stops working for SSL VPN user, it would need to be checked more on the connectivity between the SSL VPN users and DNS server. You can use Diagnostics - Tools - Name lookup and Diagnostics - Packet Capture to test the DNS server and check the DNS traffic between SSL VPN user and DNS server.

Children
No Data