Make outbound queries using DNS over TLS
Based on comments on this item, the request is for XG Firewall to use DNS over TLS to make outbound DNS queries over an encrypted channel.
If you want to support adding the ability for XG Firewall to be a server for DNS over TLS requests from other devices or endpoints, please create or support a separate idea submission. Also, DNS over HTTPS is covered in a different item: https://ideas.sophos.com/admin/v3/ideas/37437661/
Sophos seems to fall behind in necessary features, which is funny because it supports IPv6. May 2020 and still no DNS over TLS or DNS over HTTPS. Honestly, having a security vendor telling me that sending plaintext DNS records is fine worries me.
I am building a ubuntu server VM just for this purpose, but Sophos XG should have this option...
Multiple issues have been mixed here:
DNS over HTTPS is a tunnelling program for devices that want to override the network administrator's configuration. XG or UTM should be in control of the network, so DNS over HTTPS is not necessary, and I will be trying to block it from my network.
DNS over TLS involves two roles: The server role to accept connections from clients, and the client role for DNS requests that XG or UTM sends to the internet because of forwarding, recursion, or local queries.
The client role is needed first, because it is internet traffic that poses the most risk. It needs to attempt DNS over TLS first, then fall back to DNS over UDP if it fails. DNS Flag Day 2020 is working to ensure that TLS queries to public DNS sites will always succeed.
It would be nice to have this feature in XG, rather than having to setup a VM DNS server to handle the ability and point my Firewall to it.
Please add DNS-SEC as soon as possible. It is mandantory for health care in germany....
Talking the talk. now please walk the walk. https://nakedsecurity.sophos.com/2019/04/24/dns-over-https-is-coming-whether-isps-and-governments-like-it-or-not/
1 year later, still no mention that this might get supported.
Adding my vote!
Deepak Kumar commented
When Sophos will wakeup on this feature?
8 months later and sophos don't even say a word about adding this basic security feature
commenting now, so maybe we'll get an update in a year or two.
It's starting to spread around so it will have to be added soon to prevent issues with WEB Filtering / Monitoring and keep things up to standard.
Dave Hamer commented
Considering Naked Security (by Sophos) did a blog on this, I'm surprised it hasn't at least been flagged for inclusion into XG. Adding my vote!
Danny Merkenhof commented
I also would like to see support for various secure dns options. This should be a must nowadays!
David Burke commented
Add DNS over TLS.
I'm a Sophos user, but PFsense already does this. I might switch to PFsense because of this.
I will chime in and say that Sophos should implement DNS over TLS and HTTPS
DNS over HTTPS would be a great feature and keep XG at the forefront of IT security. Please do consider implementing this.
Please add DNS over TLS, DNS over HTTPS, and DNSSEC to the XG series, this would be a great feature for the XG!
I agree. It would be awesome if this feature was a part of sophos XG
Please add DNS over TLS, DNS over HTTPS, and DNSSEC to the XG series to protect against DNS spoofing and monitoring.