5.5. DNS Configuration

This section describes how to configure the DNS and DNS proxy services.

In order to work correctly, UserGate must be able to resolve domain names into IP addresses. Specify valid IP addresses of DNS servers in the System DNS servers setting.

The DNS proxy service enables user DNS requests to be intercepted and modified according to the administrator's needs. This service works both in the explicit mode and for intercepting transit requests. For the explicit mode, DNS access must be allowed in the relevant zone. For intercepting transit requests in this zone, DNS proxy settings need to be configured.

These are the DNS proxy settings:

Name

Description

DNS caching

Enables or disables DNS response caching. It is recommended to leave this enabled to speed up client service.

DNS Filtering

Enables or disables DNS request filtering. NGFW checks and intercepts requests sending them further from its IP address when DNS filtering is enabled. If the request matches the deny content filtering rule, it will be blocked.

For the filtering to work, you need to purchase a license for the ATP module.

Recursive DNS queries

Enables or disables recursive DNS queries from the server. It is recommended to leave this enabled.

Max TTL for DNS records (sec)

Sets the maximum possible time to live (TTL) for DNS records.

Limit DNS requests per second for user

Sets a limit for the number of DNS requests per second for each user. Requests in excess of this limit parameter will be rejected. The default value is 100 requests per second. Large values are not recommended for this parameter, because DNS flood (DNS DoS) attacks are a fairly common reason why DNS servers deny service.

Only A and AAAA DNS-records for unknown users (prohibit VPN over DNS)

When this protection is enabled, UserGate will only respond to unknown users if they request A or AAAA records. This effectively blocks attempts to establish a VPN over the DNS protocol.

You can use DNS proxy rules to specify the DNS servers to which requests for certain domains should be forwarded. This option can be useful when your company uses a local domain that is permanently disconnected from the Internet and used for company-internal needs, such as an Active Directory domain.

To create a DNS proxy rule, follow these steps:

Task

Description

Step 1. Create a new rule.

Click Add and provide a Name and an optional Description.

Step 2. Specify a domain list.

List the domains that need forwarding, e.g., localdomain.local. "*" can be used to specify a domain template.

Step 3. Specify the DNS servers.

List the IP addresses of DNS servers to which the requests for the above domains should be forwarded.

You can also use a DNS proxy to define static host-type records, or A records. To define a static record, follow these steps:

Task

Description

Step 1. Add a new record.

Click Add and provide a Name and an optional Description.

Step 2. Specify a FQDN.

Enter the Fully Qualified Domain Name (FQDN) of the static record, such as www.example.com.

Step 3. Specify the IP addresses.

List the IP addresses that the UserGate server will return when this FQDN is requested.