Skip to content
Avanet

Configure DNS Request Routes on Sophos Firewall

Sophos Firewall

With DNS Request Routes, you can define on Sophos Firewall which DNS server should be used for specific domains or networks. This is especially useful when the firewall uses public DNS servers, but internal names must be resolved through an internal DNS server.

Typical examples are Active Directory domains, internal applications, reverse lookups or VPN environments.

When do you need DNS Request Routes?

DNS Request Routes are useful when:

  • internal hostnames such as server01.company.local need to be resolved
  • reverse lookups for internal IP networks should work
  • VPN users should use internal names
  • multiple sites have their own DNS zones
  • the firewall itself must reach internal systems by FQDN
  • public DNS servers do not know internal names

Without a DNS Request Route, the firewall queries the globally configured DNS server. If that server does not know the internal domain, resolution fails.

Requirements

  • Access to the Sophos Firewall WebAdmin
  • Internal DNS server is reachable
  • Domain or network is known
  • Firewall rules allow DNS traffic to the target server
  • For site-to-site connectivity: routing to the DNS server works

WARNING: DNS problems often look like routing, VPN or application problems. Before making larger changes, check whether the target server is reachable by IP address and whether only name resolution is failing.

Create a DNS Request Route for a domain

A domain route ensures that queries for a specific domain are sent to a defined DNS server.

Example:

  • Host/domain name: company.local
  • DNS server: 10.10.10.10

Procedure:

  1. Sign in to Sophos Firewall.
  2. Open Network.
  3. Select DNS.
  4. Go to DNS request route.
  5. Add a new DNS Request Route.
  6. Under Host/domain name, enter the internal domain, for example company.local.
  7. Under Target servers, select the internal DNS server or create it as a host using Create.
  8. Save.

The firewall will then query the specified DNS server for this domain.

Sophos Firewall - add DNS Request Route with internal DNS server
Sophos Firewall - Network > DNS > Add DNS request route

Use multiple target servers

Under Target servers, you can add more than one DNS server. This is useful if there are several internal DNS servers or if DNS should be reachable redundantly over a site-to-site connection.

Possible target servers:

  • internal DNS servers on the local network
  • DNS servers on the other side of a VPN connection
  • DNS servers at another site
  • public DNS servers, if a specific domain should intentionally be resolved externally

The order matters. Sophos queries the selected hosts in the order in which they appear in the list. According to Sophos, up to eight IP addresses can be configured: Add a DNS request route.

Sophos Firewall - overview of a DNS Request Route for avanet.local
Sophos Firewall - Network > DNS > DNS request route

Reverse DNS for internal networks

A reverse DNS request route forwards PTR queries for an internal IP network to the DNS server that knows the matching reverse lookup zone. This helps when logs, reports or services need to turn an IP address back into a hostname.

Example:

  • Network: 172.16.16.0/24
  • DNS server: 172.16.16.10
  • Reverse zone: 16.16.172.in-addr.arpa

For reverse lookups, you also create a DNS Request Route under Network > DNS > DNS request route. Under Host/domain name, however, you do not enter the normal domain but the reverse zone.

Example for 172.16.16.0/24:

16.16.172.in-addr.arpa

The order of the octets is reversed. The network 172.16.16.0/24 therefore becomes 16.16.172.in-addr.arpa.

For larger networks, the reverse zone can be broader. Example: for 172.16.0.0/16, it would be 16.172.in-addr.arpa. What matters is how the reverse lookup zone was created on the internal DNS server.

If no PTR zone or PTR records exist on the internal DNS server, the request route will not fix that. The firewall can only send the query to the correct DNS server; it does not create reverse DNS records on the DNS server.

Tests

After configuration, test name resolution:

  • Can the firewall resolve the internal name?
  • Does resolution work from VPN or user zones?
  • Is the DNS server reachable by ping or TCP/UDP 53?
  • Are there entries in the DNS or firewall log?

If resolution does not work, check first:

  • Is the domain spelled correctly?
  • Is the client really using Sophos Firewall or the correct DNS server?
  • Is a firewall rule blocking DNS?
  • Is a route to the DNS server missing?
  • Does the DNS server answer queries from the firewall?

Common mistakes

Common causes are:

  • wrong domain, for example company.local instead of ad.company.local
  • DNS server is reachable only from the LAN, not from the VPN
  • firewall sends the query through the wrong route
  • reverse lookup zone is missing
  • DNS traffic is affected by a rule or NAT

In VPN environments, also check whether the VPN clients receive the correct DNS servers and search domains.

Recommendation

DNS Request Routes should be as specific as possible. A route for the exact internal domain is better than a configuration that is too broad. For larger environments, it is worth keeping a small table with domain, DNS server, site and purpose so that later changes remain understandable.