Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 2409 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS as DNS server: Figured it out

Wayne Folta

Couldn't delete the post, so am editing it. I figured out how to add the XGS as the DNS server: in DHCP, uncheck the box to use the DNS settings and set the interface IP as the DNS server.



This thread was automatically locked due to age.
Parents
  • +1
    Wayne Folta said:
    The DNS settings appear to be for the firewall itself. So I think I go into the DHCP settings and check the box to manually specify the DNS server and in that I put? The interface (say 192.168.1.1)? Or nothing? Or something else?

    If the firewall ipv4 interface is 192.168.1.1 over a certain port, then that is exactly what you will use on the DHCP settings of that interface while manually specifying the DNS server. (Remember to allow DNS connections for the same zone within the device access tab.)

    Wayne Folta said:
    Also, any information on the overhead, the caching amount, etc, of the XGS' DNS server?

    There is (almost) no configuration you can make for the DNS server of the firewall.

    If you do not have a DNS server in your network, then it is better to use the firewall itself as the DNS server, since it does have caching capabilities.

    Wayne Folta said:
    plus it appears in The Life of a Packet that there's s bit of extra security when the DNS lookup happens on the XGS.

    It can apply security measures on DNS lookups without being the DNS server itself.

Reply
  • +1
    Wayne Folta said:
    The DNS settings appear to be for the firewall itself. So I think I go into the DHCP settings and check the box to manually specify the DNS server and in that I put? The interface (say 192.168.1.1)? Or nothing? Or something else?

    If the firewall ipv4 interface is 192.168.1.1 over a certain port, then that is exactly what you will use on the DHCP settings of that interface while manually specifying the DNS server. (Remember to allow DNS connections for the same zone within the device access tab.)

    Wayne Folta said:
    Also, any information on the overhead, the caching amount, etc, of the XGS' DNS server?

    There is (almost) no configuration you can make for the DNS server of the firewall.

    If you do not have a DNS server in your network, then it is better to use the firewall itself as the DNS server, since it does have caching capabilities.

    Wayne Folta said:
    plus it appears in The Life of a Packet that there's s bit of extra security when the DNS lookup happens on the XGS.

    It can apply security measures on DNS lookups without being the DNS server itself.

Children
  • 0 in reply to Prism

    OK, good to know. I wish they had a checkbox to use the Interface IP, as they do higher up in the configuration for something else. Why make me type it in and risk it causing problems if the IP of the interface ever changed.

    It's good to hear that the firewall does some security in relation to DNS even when not the DNS server.  Life of a Packet document mentions additional ATP protection if the firewall is the DNS server: "If Sophos Firewall is configured as the DNS server, the firewall stack also checks the domain names with the ATP database."