Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 708 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Based DNS Selection

JET IT

Hello Sophos Community,

I have setup the Sophos XG 115 to have two WAN links in Active Backup mode. I have setup 2 Policy Routes so that destinations in Asia goes through WAN1 and destinations in USA goes through WAN2. Everything works just fine. However, it seems that the DNS server is ALWAYS FIXED to the WAN1(Active Link) DNS obtained from ISP DNS.

My question is that is it possible to use a specific DNS server for Policy Route 1(Destinations in Asia) and another specific DNS server for Policy Route 2(Destinations in USA)? Like the following:

Policy Route 1 -> Using WAN Link 1 -> Use DNS from WAN Link 1 ISP.

Policy Route 2 -> Using WAN Link 2 -> Use a custom DNS server in my lab.

Thx in advance!

Geoff T.



This thread was automatically locked due to age.
  • 0

    Set up an internal caching nameserver that doesn't use forwarders. It will perform recursive lookups that will honour your policy-based routes. Use this internal caching nameserver to perform your external lookups.

  • 0 in reply to ChrisKnight

    Hello Chris,

    Thx for the method. But I kinda want to achieve this using the Sophos XG only without having to build another DNS cache server. Is there anything we can do on the Sophos XG for this to work? Thx!

  • +1

    As SD-WAN PBR works on the protocol level, you cannot split this up. It will always trigger one way. Simply because DNS does not work that way. If XG tries to resolve a name, it has to go to the forwarder. 

    You can forward specific source DNS requests to different routes. But not if the XG is the DNS Server.

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thx LuCAR, you are right. Instead I did split DNS at the WAN Link level on one of the WAN Link routers and using that router as the DNS forwarder for all LAN clients. Working like a charm now! Thx so much!