Hi! After adding my pi-hole as DNS-Server in Sophos UTM, I noticed that some domains which are blocked in the webfilter and show up as actually having been blocked in the firewall logs still trigger a DNS request which shows up in the pi-hole logs. Is this behaviour OK, or is something wrong with it? Thanks a lot in advance!
I just started thinking about building my own UTM with Sophos UTM Home as the Operating System. I know that this would be overkill, but is there any future proof advantage of having a UTM connections with 2 X 10GB Ethernet rather then 2 X 1GB Ethernet? Do CAT5/CAT6 Patch cables work OK with 10GB Ethernet?
I would say the behaviour is ok. In order to go to a website, you have to resolve the FQDN which requires DNS Lookup. A webfilter does not block the action of resolving a DNS name, that is the job of the sinkhole. The web filter blocker http/https access to websites based on the policy. If the client is configured to use pi-hole as the DNS and the site is not blacklisted by Pi-Hole but is blocked by Web filter policy then access to the site should be blocked by the UTM. If the client is configured to use pi-hole as the DNS and the site is blacklisted by Pi-Hole and is blocked by Web filter policy then access to the site should be blocked by Pi-Hole. If the client is configured to use pi-hole as the DNS and the site is blacklisted by Pi-Hole and is not blocked by Web filter policy then access to the site should be blocked by Pi-Hole.