Add your DNS settings

Public DNS server

You need a public (external) DNS server for the following reasons:

• To resolve an "A record" that points to the ZTNA gateway.
• To resolve the "CNAME record" of applications that point to the domain name (FQDN) of the ZTNA gateway. You don't need these CNAME records for applications if you access them with the Sophos ZTNA agent.

If you don't use the ZTNA agent, ZTNA supports a single domain only. The domain name of your applications must match that of your gateway.

Private DNS server

The ZTNA gateway must point to a private (internal) DNS server to redirect users to an application after authentication and authorization.

Alternatively, you can configure the internal FQDN/IP of the application directly when you add it to ZTNA in Sophos Central.

For examples of how DNS works with ZTNA, see DNS flows.

Public DNS server

You need a public (external) DNS server for the following reasons:

• To verify the domain ownership that the admin uses for the ZTNA gateway.
• To resolve the "CNAME record" that points to the alias domain generated when you add the ZTNA gateway.
• To resolve the "CNAME record" of applications that point to the alias domain generated for agentless resources.

The domain name of your applications must match that of your gateway.

Private DNS server

The ZTNA gateway must point to a private (internal) DNS server to redirect users to an application after authentication and authorization.

Alternatively, you can configure the internal FQDN/IP of the application directly when you add it to ZTNA in Sophos Central.

For examples of how DNS works with ZTNA, see DNS flows.