Allowed Networks

You can specify the networks that are to be allowed to use Sophos UTM as a recursive DNSClosed resolver. Typically, you will select your internal networks here.

Caution – It is extremely important not to select an Any network object, because this introduces a serious security risk and opens your appliance up to abuse from the Internet.

Note – If you already run an internal DNS server, for example as part of Active Directory, you should leave this box empty.


The Domain Name System Security Extensions (DNSSEC) is a set of extensions to DNS to enhance security. It works by digitally signing DNS lookup records using public-key cryptography. If unselected, Sophos UTM accepts all DNS records. If selected, Sophos UTM validates incoming DNS requests with regard to DNSSEC signing. Only correctly signed records will be accepted from signed zones.

Note – If selected, DNS records might be rejected by DNSSEC-incapable forwarders that are manually installed or assigned by ISP. In this case, on the Forwarders tab, remove the DNS forwarders from the box and/or disable the Use forwarders assigned by ISP checkbox.

Flush Resolver Cache

The DNS proxy uses a cache for its records. Each record has an expiration date (TTL, time-to-live) at which it will be deleted, which is normally one day. However, you can empty the cache manually e.g. if you want recent changes in DNS records to take effect immediately, not having to wait for the TTL to expire. To empty the cache, click Flush Resolver Cache Now.