Configure inbound DNS load balancing and failover
You can add multiple DNS host entries for a single website hosted behind Sophos Firewall, which enables inbound DNS load balancing.
Sophos Firewall acts as a DNS name server that provides the requesting endpoint computer with A records to resolve their requested URL. Adding multiple DNS host entries for a single website hosted behind the firewall allows inbound DNS traffic to be distributed over multiple WAN links and provides failover for an unreachable or dead interface.
This article instructs how you can configure static DNS host entries so that the firewall resolves all requests for the website www.example.com to any of the WAN link IP addresses, 10.10.10.1 or 18.104.22.168. If any of the links fail, the firewall resolves all requests to the IP address of the active interface. This facilitates inbound DNS load balancing and failover.
The steps followed by a user request for www.example.com are shown in the following diagram:
- An endpoint computer sends a request to a local DNS server asking for the IP address of http://www.example.com.
- The local DNS server forwards this request to the authoritative DNS server.
- The authoritative DNS server responds to the local DNS server with pre-registered NS records ns1.example.com and ns2.example.com, redirecting the request directly to Sophos Firewall.
- The local DNS server, in turn, queries Sophos Firewall for the IP address of http://www.example.com. The query reaches the firewall via any one of the active WAN links.
- Sophos Firewall responds to the local DNS server with 22.214.171.124, the WAN IP address of the interface that received the request.
- The local DNS server replies to the endpoint computer with 126.96.36.199, the IP address obtained from Sophos Firewall.
- The endpoint computer then accesses www.example.com using the HTTP request http://188.8.131.52.
- The web server hosting www.example.com, 172.16.16.5, which is bound to both WAN Links 10.10.10.1 and 184.108.40.206 via DNS static host entries in the firewall, responds to the endpoint computer's HTTP request with relevant content.
For Sophos Firewall to act as a name server and provide the A records for domains hosted behind it, you must register corresponding NS records with the ISP's authoritative DNS, which point to the firewall's WAN Links. This way, when ISP DNS receives a DNS query for your domain from an endpoint computer, it forwards the request to the firewall.
Turn on DNS for the WAN zone
To use Sophos Firewall as a DNS name server for a web server behind the firewall, you must turn on DNS for the WAN zone. Do as follows:
- Go to Administration > Device access.
- Select DNS for the WAN zone.
- Click Apply.
Add a DNS host entry
Next, you must configure a DNS host entry for the website hosted by the firewall. Specify multiple WAN IP addresses to turn on load balancing and failover. Do as follows:
- Go to Network > DNS.
- Scroll to the DNS host entry section and click Add.
- Enter www.example.com for the Host/domain name.
- Enter 10.10.10.1 for the IP address.
- Select Publish on WAN.
- Click Add to add a second address.
- Enter 220.127.116.11 for the second IP address.
Select Publish on WAN.
The following restrictions apply to DNS load balancing and failover:
- A maximum of eight addresses are allowed.
- Maximum DNS entries supported is 1024.
- Only A, AAAA, and PTR type DNS records are supported.
- Address (A) records point a hostname to an IP address and return a 32-bit IPv4 address.
- AAAA records point a hostname to an IP address and return a 128-bit IPv6 address.
- Pointer records (PTR) are used for reverse lookups. They map the IP address to a hostname.
- If you use the device interface as a DNS name server, a query is sent to the configured DNS servers before querying the ROOT servers.