This section describes how to configure the DNS and DNS proxy services.
In order to work correctly, NGFW must be able to resolve domain names into IP addresses. Specify valid IP addresses of DNS servers in the System DNS servers setting.
The DNS proxy service enables user DNS requests to be intercepted and modified according to the administrator's needs. This service works both in the explicit mode and for intercepting transit requests. For the explicit mode, DNS access must be allowed in the relevant zone. For intercepting transit requests in this zone, the following DNS proxy settings need to be configured.
These are the DNS proxy settings:
|
Name |
Description |
|---|---|
|
DNS caching |
Enables or disables DNS response caching. It is recommended to leave this enabled to speed up client service. |
|
DNS Filtering |
Enables or disables DNS request filtering. When DNS filtering is enabled, NGFW checks and intercepts requests, passing them along from its own IP address. If the request matches a content filtering deny rule, it will be blocked. For the filtering to work, you need to purchase a license for the ATP module. Important! The DNS filtering and L2 bridge functionality are not compatible in the current version: when DNS filtering is enabled, DNS requests stop passing through the bridge.
|
|
Recursive DNS queries |
Enables or disables recursive DNS queries from the server. It is recommended to leave this enabled. |
|
Max TTL for DNS records (sec) |
Sets the maximum possible time to live (TTL) for DNS records. |
|
Limit DNS requests per second for user |
Sets a limit for the number of DNS requests per second for each user. Requests in excess of this limit parameter will be rejected. The default value is 100 requests per second. Large values are not recommended for this parameter, because DNS flood (DNS DoS) attacks are a fairly common reason why DNS servers deny service. |
|
Only A and AAAA DNS-records for unknown users (prohibit VPN over DNS) |
When this protection is enabled, UserGate will only respond to unknown users if they request A or AAAA records. This effectively blocks attempts to establish a VPN over the DNS protocol. |
You can use DNS proxy rules to specify the DNS servers to which requests for certain domains should be forwarded. This option can be useful when your company uses a local domain that is permanently disconnected from the Internet and used for company-internal needs, such as an Active Directory domain.
To create a DNS proxy rule, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Add a rule. |
Click Add and provide a Name and an optional Description. |
|
Step 2. Specify a domain list. |
List the domains that need forwarding, e.g., localdomain.local. "*" can be used to specify a domain template. |
|
Step 3. Specify DNS servers. |
List the IP addresses of DNS servers to which the requests for the above domains should be forwarded. |
You can also use a DNS proxy to define static host-type records, or A records. To define a static record, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Add a record. |
Click Add and provide a Name and an optional Description. |
|
Step 2. Specify FQDN. |
Enter the Fully Qualified Domain Name (FQDN) of the static record, such as www.example.com. |
|
Step 3. Specify IP addresses. |
List the IP addresses that NGFW will return when this FQDN is requested. |