IPS Alert: Some internal hosts to (*.root-servers.net) Destination port: 53 (domain)

Kris, you might want to change your setup to DNS Best Practice.  We would need to see the warning to be able to have an idea about the 'Advanced' tab.

Cheers - Bob

Thanks Bob, I'll read DNS Best Practice.

I'm getting IPS hits on Rule ID 39866:  INDICATOR-COMPROMISE Suspicious .ml dns query.

It is always for internal servers reaching out to either Google's DNS Servers at 8.8.8.8 & 8.8.4.4, or the various hosts at *.root-servers.net

DNS Best Practice Rule #1 seems contradictory to what I read in UTM when looking at Network Services > DNS > Allowed networks.

"If you already run an internal DNS server (for example as part of Active Directory), you should leave this setting empty."

We do, Active Directory Domain Controllers.  That is why I've left it blank.

All I can tell you, Kris, is that 18 months ago, someone at Sophos thought the approach in that post was correct enough to copy it in to a KnowledgeBase article: Best practice: DNS Configuration on the Sophos UTM.

Cheers - Bob

All I can tell you, Kris, is that 18 months ago, someone at Sophos thought the approach in that post was correct enough to copy it in to a KnowledgeBase article: Best practice: DNS Configuration on the Sophos UTM.

Cheers - Bob

Excellent, thanks Bob.

I've set it all up according to that KB article.