Skip to content

Add your DNS settings

You need the following settings in your DNS servers.

The settings differ depending on whether you're setting up an on-premise gateway or a Sophos Cloud gateway.

Click the tab for information about your gateway type below.

On-premise gateway platforms include Amazon Web Services, Hyper-V, and VMWare ESXi.

For examples of how DNS works with on-premise ZTNA gateways, see DNS flows.

Public DNS server

The DNS records you add to your public DNS server differ based on whether you're setting up agentless ZTNA or agent-based ZTNA.

Agentless ZTNA

You need a public (external) DNS server for the following reasons:

  • To resolve an A record that points to the ZTNA gateway.
  • To resolve the CNAME record of resources that point to the domain name (FQDN) of the ZTNA gateway.

With agentless access, ZTNA supports a single domain only. The domain name of your resources must match that of your gateway.

Example
  • The A record points to your gateway FQDN: https://ztna.mycompany.net/
  • The CNAME record points to your resource FQDN: https://wiki.mycompany.net/#all-updates

Agent-based ZTNA

You need a public (external) DNS server for the following reasons:

  • To resolve an A record that points to the ZTNA gateway.

Note

You don't need CNAME records for resources if you access them with the Sophos ZTNA agent.

Example
  • The A record points to your gateway FQDN: https://ztna.mycompany.net/

Private DNS server

The ZTNA gateway must point to a private (internal) DNS server to redirect users to a resource after authentication and authorization.

Alternatively, you can configure the internal FQDN/IP of the resource directly when you add it to ZTNA in Sophos Central.

Sophos Cloud gateway platforms include Sophos Firewall, Amazon Web Services, Hyper-V, and VMWare ESXi.

Public DNS server

The DNS records you add to your public DNS server differ based on whether you're setting up agentless ZTNA or agent-based ZTNA.

Agentless ZTNA

You need a public (external) DNS server for the following reasons:

  • To validate the domain ownership that the admin uses for the ZTNA gateway. You must add a TXT record to do this. See the "Validate your domain" section in Set up a Sophos Cloud gateway.
  • To resolve the CNAME record that points to the alias domain generated when you add the ZTNA gateway.
  • To resolve the CNAME record that points to the alias domain generated when you add agentless resources. You can add multiple CNAME records for multiple resources.

The domain name of your resources must match that of your gateway. For example, gateway domain name: ztna.company.net, resource name: wiki.mycompany.net.

Example
  • The TXT record points to your gateway FQDN: https://ztna.mycompany.net/
  • The CNAME record points to the alias domain for the ZTNA gateway: 9c70fcab-9a67-470d-8fe8-e5203b0fce34.1.us-east-2.prod.ztna.access.sophos.com
  • The CNAME record points to the alias name of your resource: 0c70fcab-9a67-470d-8fe8-e5203b0fce34.1.us-east-2.prod.ztna.access.sophos.com

Agent-based ZTNA

You need a public (external) DNS server for the following reasons:

  • To validate the domain ownership that the admin uses for the ZTNA gateway. You must add a TXT record to do this. See the "Validate your domain" section in Set up a Sophos Cloud gateway.
  • To resolve the CNAME record that points to the alias domain generated when you add the ZTNA gateway.
Example
  • The TXT record points to your gateway FQDN: https://ztna.mycompany.net/
  • The CNAME record points to the alias domain for the ZTNA gateway: 7c70fcab-9a67-470d-8fe8-e5203b0fce34.1.us-east-2.prod.ztna.access.sophos.com

Private DNS server

The ZTNA gateway must point to a private (internal) DNS server to redirect users to a resource after authentication and authorization.

Alternatively, you can configure the internal FQDN/IP of the resource directly when you add it to ZTNA in Sophos Central.