DNS

The Domain Name System (DNS) servers are used to resolve hostnames to IP addresses. There are two DNS server settings that apply to different types of traffic: data and special management traffic. Data traffic includes any services that use FQDNs for which a DNS lookup is necessary, such as access control rules and remote access VPN. Special management traffic includes traffic originating on the Management interface such as configuration and database updates. This procedure only applies to data DNS servers. For management DNS settings, see the CLI configure network dns servers and configure network dns searchdomains commands.

To determine the correct interface for DNS server communications, the managed device uses a routing lookup, but which routing table is used depends on the interfaces for which you enable DNS. See the interface settings below for more information.

You can optionally configure multiple DNS server groups and use them to resolve different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers. These resolutions are used by any feature that uses data DNS resolution, such as NAT and access control rules.

You can configure trusted DNS services for DNS snooping using the Trusted DNS Servers tab. DNS snooping is used to map the application domains to IPs in order to detect the application on the first packet. Apart from configuring the trusted DNS servers, you can include the already configured servers in DNS group, DHCP pool, DHCP relay and DHCP client as trusted DNS servers.

Note

For an application-based PBR, you must configure trusted DNS servers. You must also ensure that the DNS traffic passes through threat defense in a clear-text format (encrypted DNS is not supported) so that domains can be resolved to detect applications.

Before you begin

  • Ensure you have created one or more DNS server groups. For more information, see Creating DNS Server Group Objects.

  • Ensure you have created interface objects to connect to the DNS servers.

  • Ensure that the managed device has appropriate static or dynamic routes to access the DNS servers.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit a Threat Defense policy.

Step 2

Click DNS.

Step 3

Click the DNS Settings tab.

Step 4

Check Enable DNS name resolution by device.

Step 5

Configure the DNS server groups.

  1. Do any of the following in the DNS server group list:

    • To add a group to the list, click Add. You cannot add another group once there are 30 filter domains configured within the existing list of server groups.

    • To edit the settings for a group, click Edit (edit icon) next to the group.

    • To remove a group, click Delete (delete icon) next to the group. Removing a group does not delete the DNS server group object, it simply removes it from this list.

  2. When adding or editing a group, configure the following settings, then click OK:

    • Select DNS Group—Select an existing DNS server group object, or click + to create a new one.

    • Make as default—Select this option to make this group the default group. Any DNS resolution request that does not match the filters for other groups will be resolved using the servers in this group.

    • Filter Domains—For non-default groups only, a comma-separated list of domain names, such as example.com,example2.com. Do not include spaces.

      The group will be used for DNS resolutions for these domains only. You can enter a maximum of 30 separate domains across all groups added to this DNS platform settings policy. Each name can be a maximum of 127 characters.

      Note that these filter domains are not related to the default domain name for the group. The filter list can be different from the default domain.

Step 6

(Optional) Enter the Expiry Entry Timer and Poll Timer values in minutes.

These options apply to FQDNs that are specified in network objects only. These do not apply to FQDNs used in other features.

  • Expire Entry Timer specifies the minimum time-to-live (TTL) for the DNS entry, in minutes. If the expiration timer is longer than the entry's TTL, the TTL is increased to the expire entry time value. If the TTL is longer than the expiration timer, the expire entry time value is ignored: no additional time is added to the TTL in this case. Upon expiration, the entry is removed from the DNS lookup table. Removing an entry requires that the table be recompiled, so frequent removals can increase the processing load on the device. Because some DNS entries can have very short TTL (as short as three seconds), you can use this setting to virtually extend the TTL. The default is 1 minute (that is, the minimum TTL for all resolutions is 1 minute). The range is 1 to 65535 minutes.

    Note that for systems running 7.0 or earlier, the expiration time is actually added to the TTL: it does not specify a minimum value.

  • Poll Timer specifies the time limit after which the device queries the DNS server to resolve the FQDN that was defined in a network object. An FQDN is resolved periodically either when the poll timer has expired, or when the TTL of the resolved IP entry has expired, whichever occurs first.

Step 7

Enable DNS lookups on all interfaces or on specific interfaces. These choices also affect which routing tables are used.

Note that enabling DNS lookups on an interface is not the same as specifying the source interface for lookups. The threat defense always uses a route lookup to determine the source interface. Management-only interfaces other than the dedicated Management interface cannot be used.

  • No interfaces selected—Enables DNS lookups on all interfaces. The threat defense checks the data routing table only.

  • Specific interfaces selected but not the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on the specified interfaces. The threat defense checks the data routing table only.

  • Specific interfaces selected plus the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on the specified interfaces and the Management interface. The threat defense checks the data routing table, and if no route is found, falls back to the management-only routing table.

  • Only the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on Management. The threat defense checks only the management-only routing table.

Step 8

To configure the trusted DNS servers, click the Trusted DNS Servers tab.

Step 9

By default, the existing DNS servers that are configured in DHCP pool, DHCP relay, DHCP client, or DNS server group are included as trusted DNS servers. If you want to exclude any of them, uncheck the appropriate check boxes.

Step 10

To add trusted DNS servers, under Specify DNS Servers, click Edit.

Step 11

In the Select DNS Servers dialog box, either choose a host object as the trusted DNS server or directly specify the IP address of the trusted DNS server:

  1. To choose existing host objects, under Available Host Objects, select the required host object and click Add to include it to Selected DNS Servers. For information on adding the host objects, see Creating Network Objects.

  2. To directly provide the IP address(IPv4 or IPv6) of the trusted DNS server, enter the address in the given text field, and click Add to include it to Selected DNS Servers.

  3. Click Save. The added DNS servers are displayed in the Trusted DNS Servers page.

Note

You can configure a maximum of 12 DNS servers per policy.

Step 12

(Optional) To search for a DNS server that was added, using either the host name or the IP address, use the search field under Specify DNS Servers.

Step 13

Click Save.

What to do next

To use FQDN objects for access control rules, create an FQDN network object which can then be assigned to an access control rule. For instructions see, Creating Network Objects.