DNS Best Practices for XG

Question

Hi there, I'm a newbie to Sophos and had a quick read through the fourms to find out DNS Best Practices for XG Firewall. I found one for UTM but I presume the same advice applies to XG (request routing and all that). 
 One follow on question I had was - in the aim of avoiding users locally changing their local DNS IP settings, do you recommend as DNS best practice to setup a rule on the XG firewall to allow all tcp/udp on port 53 in/out to our external name servers and then have a rule below that says Block all tcp/udp in/out to all ip addresses on port 53? 
 Or is there a way for XG to simply forward' people's DNS requests (to your preferred external DNS providers) without them knowing, instead of having the possibility of someone manually configuring DNS and having it just not work. 
 Thanks 
 Gerry

rfcat_vk · Answer

Hi Shred, 
 you setup the the DNS on the XG 
 1/. in the network tab -> DNS you set the XG to use DNS from PPPoE, Static or DHCP . 
 2/. in the network -> DHCP tab you enter your internal interface in the Primary DNS field with use the Devices DNS settings not ticked. 
 3/. in the administration tab ->you enable DNS acces in the ACL tab. local service ACL you enable DNS for wifi and LAN. I have enabled for WAN, but not sure if that is required. Something to check when there aren't any users. 
 Ian

lferrara · Answer

Gerry, 
 The best protection is to use XG as dns server, configure dns request routing and nothing else. Avoid to open udp port 53. 
 Regards