Configure DNS server settings

Configure DNS server settings to enable hostname resolution for data traffic on managed devices. This task allows you to set up DNS server groups, trusted DNS services, and interface-specific DNS lookups. These configurations support features such as access control rules, NAT, and application detection.

  • Set up DNS server groups for resolving FQDNs used in data traffic.

  • Configure trusted DNS servers for DNS snooping and application-based PBR.

  • Enable DNS lookups on specific interfaces to control routing behavior.

The Domain Name System (DNS) servers are used to resolve hostnames to IP addresses. Data DNS settings apply to services that use FQDNs, such as access control rules and remote access VPN. Special management traffic uses separate DNS settings configured via CLI commands. This procedure applies only to data DNS servers. For management DNS settings, see the CLI configure network dns servers and configure network dns searchdomains commands.

Managed devices use routing lookups to determine the correct interface for DNS server communications. The system selects the routing table based on the interfaces enabled for DNS. Multiple DNS server groups can be configured to resolve different DNS domains, allowing internal and external DNS resolution as needed.

Trusted DNS servers

You can configure trusted DNS services for DNS snooping. DNS snooping is used to map the application domains to IPs in order to detect the application on the first packet. You can also include the already configured servers in DNS group, DHCP pool, DHCP relay and DHCP client as trusted DNS servers.

For application-based PBR, configure trusted DNS servers. Ensure DNS traffic passes through Firewall Threat Defense in clear text format (because encrypted DNS is not supported) for domain resolution and application detection.

Before you begin

  • Ensure you have created one or more DNS server groups. For more information, see Creating DNS Server Group Objects.

  • Ensure you have created interface objects to connect to the DNS servers.

  • Ensure that the managed device has appropriate static or dynamic routes to access the DNS servers.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit a Threat Defense policy.

Step 2

Click DNS, and then click the DNS Settings tab.

Step 3

Check Enable DNS name resolution by device.

Step 4

Configure the DNS server groups.

  1. Do any of these actions in the DNS server group list:

    • To add a group, click Add. You cannot add another group once there are 30 filter domains configured within the existing list of server groups.

    • To edit a group, click Edit (edit icon) next to the group.

    • To remove a group, click Delete (delete icon) next to the group. When you remove a group, you do not delete the DNS server group object. You remove it only from this list.

  2. When adding or editing a group, configure the following settings, then click OK:

    • Select DNS Group—Select an existing DNS server group object, or click + to create a new one.

    • Make as default—Select this option to make this group the default group. Any DNS resolution request that does not match the filters for other groups will be resolved using the servers in this group.

    • Filter Domains—For non-default groups only, enter a list of domain names separated by commas, such as example.com,example.net. Do not include spaces.

      The group is used only for DNS resolutions for these domains. You can enter up to 30 separate domains across all groups in this DNS platform settings policy. Each domain name can contain up to 127 characters.

      Note that these filter domains are not related to the default domain name for the group. The filter list can be different from the default domain.

Step 5

(Optional) Enter the Expiry Entry Timer and Poll Timer values in minutes.

These options apply to FQDNs specified in network objects only and do not apply to FQDNs used in other features.

  • Expire Entry Timer specifies the minimum time-to-live (TTL) value for the DNS entry, in minutes. If the expiration timer is longer than the entry's TTL, the TTL is increased to the expire entry time value. If the TTL is longer than the expiration timer, the expire entry time value is ignored. Upon expiration, the entry is removed from the DNS lookup table. When you remove an entry, the device recompiles the table. Frequent removals can increase the processing load on the device. Some DNS entries can have very short TTL (as short as three seconds); use this setting to virtually extend the TTL. The default is 1 minute. The range is 1 to 65535 minutes.

    For systems running 7.0 or earlier, the expiration time is actually added to the TTL; it does not specify a minimum value.

  • Poll Timer specifies the time limit after which the device queries the DNS server to resolve the FQDN defined in a network object. An FQDN is resolved periodically when either the poll timer has expired or the TTL of the resolved IP entry has expired, whichever occurs first.

Step 6

Enable DNS lookups on all interfaces or on specific interfaces. These choices also affect which routing tables are used.

Enabling DNS lookups on an interface is not the same as specifying the source interface for lookups. The Firewall Threat Defense always uses a route lookup to determine the source interface. Management-only interfaces other than the dedicated Management interface cannot be used.

  • No interfaces selected—This setting enables DNS lookups on all interfaces. The Firewall Threat Defense checks the data routing table only.

  • Specific interfaces selected but not the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on the specified interfaces. The Firewall Threat Defense checks the data routing table only.

  • Specific interfaces selected plus the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on the specified interfaces and the Management interface. The Firewall Threat Defense checks the data routing table, and if no route is found, falls back to the management-only routing table.

  • Only the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on Management. The Firewall Threat Defense checks only the management-only routing table.

Step 7

Configure Trusted DNS servers.

  1. Click the Trusted DNS Servers tab.

  2. By default, the existing DNS servers that are configured in DHCP pool, DHCP relay, DHCP client, or DNS server group are included as trusted DNS servers. If you want to exclude any of them, uncheck the appropriate check boxes.

  3. To add trusted DNS servers, under Specify DNS Servers, click Edit.

  4. In the Select DNS Servers dialog box, either choose a host object as the trusted DNS server or directly specify the IP address of the trusted DNS server:

    1. To choose existing host objects, under Available Host Objects, select the required host object and click Add to include it to Selected DNS Servers. For information on adding the host objects, see Creating Network Objects.

    2. To directly provide the IP address (IPv4 or IPv6) of the trusted DNS server, enter the address in the given text field, and click Add to include it to Selected DNS Servers.

    3. Click Save. The added DNS servers are displayed in the Trusted DNS Servers page.

      Note

      You can configure a maximum of 12 DNS servers per policy.

To search for a DNS server that was added, using either the host name or the IP address, use the search field under Specify DNS Servers.

Step 8

Click Save.

What to do next

To use FQDN objects for access control rules, create an FQDN network object which can then be assigned to an access control rule. For instructions, see Creating Network Objects.