Add your DNS settings
You need the following settings in your DNS servers.
The settings differ depending on whether you're setting up an on-premises gateway or a Sophos Cloud gateway.
Click the tab for information about your gateway type below.
On-premises gateway platforms include Hyper-V and VMWare ESXi.
For examples of how DNS works with on-premises ZTNA gateways, see DNS flows.
Public DNS server
The DNS records you add to your public DNS server differ based on whether you're setting up agentless ZTNA or agent-based ZTNA.
Agentless ZTNA
You need a public (external) DNS server for the following reasons:
- To resolve an A record that points to the ZTNA gateway.
- To resolve the CNAME record of resources that point to the domain name (FQDN) of the ZTNA gateway.
With agentless access, ZTNA supports a single domain only. The domain name of your resources must match that of your gateway.
Example
- The A record points to your gateway FQDN:
https://ztna.mycompany.net/
- The CNAME record points to your resource FQDN:
https://wiki.mycompany.net/#all-updates
Agent-based ZTNA
You need a public (external) DNS server for the following reasons:
- To resolve an A record that points to the ZTNA gateway.
Note
You don't need CNAME records for resources if you access them with the Sophos ZTNA agent.
Example
- The A record points to your gateway FQDN:
https://ztna.mycompany.net/
Private DNS server
The ZTNA gateway must point to a private (internal) DNS server to redirect users to a resource after authentication and authorization.
Alternatively, you can configure the internal FQDN/IP of the resource directly when you add it to ZTNA in Sophos Central.
Sophos Cloud gateway platforms include Sophos Firewall, Hyper-V, and VMWare ESXi.
Public DNS server
The DNS records you add to your public DNS server differ based on whether you're setting up agentless ZTNA or agent-based ZTNA.
Agentless ZTNA
You need a public (external) DNS server for the following reasons:
- To validate the domain ownership that the admin uses for the ZTNA gateway. You must add a TXT record to do this. See the "Validate your domain" section in Set up a Sophos Cloud gateway.
- To resolve the CNAME record that points to the alias domain generated when you add the ZTNA gateway.
- To resolve the CNAME record that points to the alias domain generated when you add agentless resources. You can add multiple CNAME records for multiple resources.
The domain name of your resources must match that of your gateway. For example, gateway domain name: ztna.mycompany.net
, resource name: wiki.mycompany.net
.
Example
- The TXT record points to your gateway FQDN:
https://ztna.mycompany.net/
- The CNAME record points to the alias domain for the ZTNA gateway:
9c70fcab-9a67-470d-8fe8-e5203b0fce34.1.us-east-2.prod.ztna.access.sophos.com
- The CNAME record points to the alias name of your resource:
0c70fcab-9a67-470d-8fe8-e5203b0fce34.1.us-east-2.prod.ztna.access.sophos.com
Agent-based ZTNA
You need a public (external) DNS server for the following reasons:
- To validate the domain ownership that the admin uses for the ZTNA gateway. You must add a TXT record to do this. See the "Validate your domain" section in Set up a Sophos Cloud gateway.
- To resolve the CNAME record that points to the alias domain generated when you add the ZTNA gateway.
Example
- The TXT record points to your gateway FQDN:
https://ztna.mycompany.net/
- The CNAME record points to the alias domain for the ZTNA gateway:
7c70fcab-9a67-470d-8fe8-e5203b0fce34.1.us-east-2.prod.ztna.access.sophos.com
Private DNS server
The ZTNA gateway must point to a private (internal) DNS server to redirect users to a resource after authentication and authorization.
Alternatively, you can configure the internal FQDN/IP of the resource directly when you add it to ZTNA in Sophos Central.