Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 1187 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal DNS servers, Zone DNS option and rules

Jens Greiner

Sophos XG106 (SFOS 18.0.5 MR-5-Build586)

I have set up several own DNS servers and added them to XG DNS settings. XG DHCP service provides those DNS servers to our clients.

Clients are separated in different zones, all with their own WAN rule and almost no rules allowing traffic between those zones.

Each zone has DNS option activated. All DNS servers are placed in one single zone.

The issue is all clients could not reach the DNS servers.

Due to lack of documentation I expected the zone DNS option to allow access to DNS servers named by XG. What is that DNS zone option for?

Do I need a dedicated rule to let a client in zone A reach the DNS servers in zone B?

Thank you.

Regards,

Jens



This thread was automatically locked due to age.
Parents
  • +1

    Device Access in XG referes to the own DNS Service. It basically tells the firewall, which zone can reach which service on the firewall itself (Default gateway). If you allow DNS in zone VPN, clients can reach the XG itself as a DNS server but not other Server.

    This is done on purpose to not allow certain configuration option done without the administrator knowledge. If you explicitly want a client to access a service behind XG, you have to create a explicit firewall rule to allow this kind of communication. 

Reply
  • +1

    Device Access in XG referes to the own DNS Service. It basically tells the firewall, which zone can reach which service on the firewall itself (Default gateway). If you allow DNS in zone VPN, clients can reach the XG itself as a DNS server but not other Server.

    This is done on purpose to not allow certain configuration option done without the administrator knowledge. If you explicitly want a client to access a service behind XG, you have to create a explicit firewall rule to allow this kind of communication. 

Children