Sophos UTM Firewall Being Flooded With UDP Packets

Justin, what is the reason to set this up at all?

Cheers - Bob

To have my own internal DNS doing recursive queries, and hosting a public DNS for external domain.

Somewhat off topic, but DNS is a very tempting target and is difficult to do right.  I would consider hosting your DNS authoritative records offsite if at all possible.  Providers of the service are not very expensive (and maybe even free), and it will prevent your infrastructure from being a target of DNS attacks.  Do you have any other options?

I was looking at maybe dyndns or afraid, just wanted to be able to host myself I guess.

I was looking at maybe dyndns or afraid, just wanted to be able to host myself I guess.

I have been using afraid for my ddns service, and that is who I was thinking about with a hosted dns setup as well when I wrote the comment.  Running a public DNS server will get you a fair amount of attention you really won't want if you have other options.  I have my home setup as a subdomain of my primary dns name and have that subdomain cnamed to my ddns entry.  I then send this subdomain back to my internal dns servers on the UTM for internal-only resolution.  It seems to work well for me so far.

This was reasonable 20 years ago, but not today.  Darrell's advice is good.

Cheers - Bob

How about instead of criticizing you give reasonable help and suggestions? Isn't that the whole reason for the community forums?

Thank you. 

Thanks Darrell.

I'm going to try this out! 

Also Darrell:

What are your thoughts on adding another NIC for the public DNS, naming it DMZ, subnetting it from Internal, and allowing Internal traffic to DMZ, but no traffic from DMZ to Internal? If that makes sense.

From a security standpoint, that makes sense and should protect you from most things on your internal network.  However, watch outbound traffic very closely from your DNS server if you go that route.  Harden it completely (CIS benchmark, plus BIND hardening) and monitor it very closely.  Again, since it is a heavily attacked service, it *could* lead to your IP getting blacklisted.  If your DNS is hosted on a dynamic address, it could also lead to it being blocked from some providers as well.  It really is a mixed bag and like Bob said, it is just not as easy as it was in the past.  It won't hurt at all to try for a bit, but I can tell you from experience, removing your (really, your ISP) ip address from blacklists of any sort is a giant PITA.

Justin, I've helped a lot of folks here over the years, but I had nothing to add to Darrell's answer.  I apologize if you felt that was criticism - none such intended!  It seemed like you were new to this and I wanted to underline the importance of taking his advice.

Cheers - Bob

I'm new here in the forums yes, but IT no. I'm just looking for good advice. I've been working with Sophos UTM as a Sys Tech/ Admin at my company for about a year now, and recently pieced together a machine and put Home Edition on it and have been running it on my home network. I know there are a lot of angles when it comes to DNS. I myself usually like to start the hard way and work my way down to an easy solution, in the process understanding everything a lot better. I'm basically testing things for the most part, and just wondered what a lot of other people out there do in similar situations. I know it's an easy solution to do DDNS, but I wanted to try and host it myself just because I can. Idk, it's an IT thing I guess.