Configure Sophos Firewall to use DNS Protection
If you're using Sophos Firewall as a DNS server, you can configure the firewall to use DNS Protection as the DNS forwarder.
Key steps
The key steps to configure Sophos Firewall with DNS Protection are as follows:
- Add Sophos Firewall as a location in Sophos Central.
- Copy the DNS Protection IP addresses from Sophos Central.
- Add the DNS Protection IP addresses in Sophos Firewall.
- Add a DNS request route in Sophos Firewall if you're using an internal DNS server to resolve local DNS requests.
- Set up network devices to use Sophos Firewall as the DNS resolver.
- (Optional) Create a NAT rule to forward outbound DNS traffic to the firewall's DNS resolver.
Sophos Central configuration
In Sophos Central, add the firewall as a location and copy the DNS Protection IP addresses.
Add Sophos Firewall as a location in Sophos Central
To add Sophos Firewall as a location, do as follows:
- Go to My Products > DNS Protection > Locations.
- Click Add.
- Enter a name and description for the location.
-
In IPv4 addresses or FQDNs, according to your network setup, do as follows:
- If your firewall has a single WAN interface, add the WAN interface's IP address.
- If your firewall has multiple WAN interfaces, add all those IP addresses or add an IP address range.
- If your firewall's IP address is dynamic, add the firewall's hostname registered with the Dynamic DNS (DDNS) provider. See Dynamic DNS.
-
Click Save.
Copy the DNS Protection IP addresses
In Sophos Central, copy the DNS Protection IP addresses. You'll need these IP addresses to configure Sophos Firewall to use DNS Protection.
To copy the DNS Protection IP addresses, do as follows:
- Go to My Products > DNS Protection > Installers.
-
Next to IP addresses, click Copy.
You copy two IP addresses. You can use them as the primary and secondary DNS Protection IP addresses to configure redundancy.
Sophos Firewall configuration
In the firewall, do as follows:
- Add the DNS Protection IP addresses in Sophos Firewall.
- Add a DNS request route if you're using a local DNS server.
- Set up your network devices to use the firewall as the DNS resolver.
Add the DNS Protection IP addresses in Sophos Firewall
To configure the firewall to use DNS Protection, add the DNS Protection IP addresses you copied from Sophos Central to the firewall.
To add the DNS Protection IP addresses in Sophos Firewall, do as follows:
- Go to Network > DNS.
- Select Static DNS.
-
In DNS 1, enter the IP address you want to use as the primary DNS Protection Server.
This must be one of the IP addresses you copied from Sophos Central.
-
In DNS 2, enter the IP address you want to use as the secondary DNS Protection server.
This must be one of the addresses you copied from Sophos Central.
Note
We recommend you don't add any other DNS server in DNS 3. If the firewall switches to the third DNS server, you'll lose the protection offered by DNS Protection.
-
Make sure IPv6 DNS servers aren't configured.
Under IPv6, do as follows:
- Select Static DNS.
- Leave DNS 1, DNS 2, and DNS 3 blank.
- Select Choose IPv4 DNS server over IPv6.
-
Click Apply.
Note
The IP addresses in the screenshot are only examples. You must use the IP addresses you copied from Sophos Central.
Add a DNS request route
DNS Protection doesn't resolve local DNS requests. So, if you're using an internal DNS server to resolve local DNS requests, you must add a DNS request route in the firewall.
When you add a DNS request route, the firewall resolves DNS requests as follows:
- All requests from the users go to the firewall.
- The firewall forwards local requests to an internal DNS server based on the domain.
- The firewall forwards public DNS requests to DNS Protection.
- The firewall forwards the responses from all DNS requests back to the users.
In the DNS request route, specify the local domain and internal DNS server.
To add a DNS request route, do as follows:
- Go to Network > DNS.
- Under DNS request route, click Add.
- In Host/Domain name, enter the local domain.
- In Target servers, select the internal DNS server.
- Click Save.
Set up network devices to use Sophos Firewall as the DNS resolver
Update the firewall's DHCP servers so that your network devices use the firewall as the DNS resolver.
To update the firewall's DHCP servers, do as follows:
- Go to Network > DHCP.
-
Under Server, select a configured DHCP server and click Edit
to make changes.
-
In Interface, make a note of the selected DHCP interface's IP address.
-
Under DNS server, configure the server as follows:
- Don't select Use device's DNS settings.
- In Primary DNS, enter the IP address of the DHCP interface you noted in Interface.
- In Secondary DNS, enter the public IP address of DNS Protection. This must be one of the DNS Protection IP addresses you copied from Sophos Central.
-
Click Save.
- Repeat these steps for all the configured DHCP servers in the firewall.
Create a NAT rule to forward outbound DNS traffic to the firewall's DNS resolver
Even after you configure all DHCP servers, some devices in your network may be configured to use a third-party DNS resolver, either through a legitimate setting or malicious one. So, you can create a NAT rule to forward all outbound DNS traffic from your internal network to the firewall's DNS resolver.
To configure a NAT rule, do as follows:
- Go to Rules and policies > NAT rules and select IPv4.
- Click Add NAT rule, then select New NAT rule.
- Enter a name for the rule and set Rule position to Top.
- In Original source, select all your internal networks.
- In Original destination, select the outboud host group. You can also select the built-in host group Internet IPv4 group instead.
- In Original service, select DNS.
- In Translated destination (DNAT), select or add the IP address of one of your firewall's internal interfaces.
-
In Inbound interface, select the firewall interfaces corresponding to the source networks you configured in Original source.
Note
Don't select the WAN port or any WAN interfaces if you have multiple WAN interfaces in the firewall.
-
Click Save.
More resources