5.5. Configuring DNS

This section provides settings for the DNS and DNS proxy services.

For proper operation of the product, UserGate should be configured to resolve domain names into IP addresses. Specify valid IP address of the DNS servers in the System DNS servers' parameter.

The DNS proxy service allows network administrators to capture DNS queries from users and then modify them as required.

DNS proxy settings are as follows:

Name

Description

DNS caching

Enables or disables caching of DNS responses. It is recommended that you leave this option enabled for better performance.

DNS filtering

Enables or disables filtering of DNS queries. This option requires an additional license for the ATP module.

Recursive DNS queries

Allows or prohibits the server to perform recursive DNS queries. It is recommended that you leave this option enabled.

Max TTL for DNS records (sec)

Sets the maximum allowed lifetime of DNS records.

Limit DNS requests per second for user

Sets the limit on the number of DNS queries per second for each user. All queries exceeding the specified limiting will be discarded. The default value is 100 queries per second. It is not recommended that you set large values for this parameter, since DNS flood (DNS DoS attacks) is among the most frequent reasons of improper operation of DNS servers.

Only A and AAAA DNS records for unknown users (prohibit VPN over DNS)

If enabled DNS server will respond to unknown users only requests for A and AAAA records blocking all other types. This can efficiently block any kind of VPN over DNS.

Using the DNS proxy rules, you can specify DNS servers to which the queries for certain domains will be forwarded. This option can be useful if your company uses an internal local domain, e.g. Active Directory, which is not connected to the Internet.

To create a new DNS proxy rule, perform the following:

Name

Description

Step 1. Add a new rule

Click Add and specify Name and Description (optional).

Step 2. Specify a list of domains

Provide a list of domains which you want to forward, e.g. localdomain.local. You can also use the "*" character to specify domain templates.

Step 3. Specify DNS servers

Provide a list of IP addresses of DNS servers to which you want to forward queries for the specified domains.

In addition, you can specify static records of the "host" type (A-records) using the DNS proxy. To create a new static record, perform the following:

Name

Description

Step 1. Add a new record

Click Add and specify Name and Description (optional).

Step 2. Provide the FQDN

Specify the Fully Qualified Domain Name (FQDN) of the static record, e.g., www.example.com.

Step 3. Specify IP addresses

Provide a list of IP addresses which will be returned by the UserGate server when this FQDN is requested.