: DNS Proxy Settings
Focus
Focus

DNS Proxy Settings

Table of Contents

DNS Proxy Settings

Click
Add
and configure the firewall to act as a DNS proxy. You can configure a maximum of 256 DNS proxies on a firewall.
DNS Proxy Settings
Configured In
Description
Enable
DNS Proxy
Select to enable this DNS proxy.
Name
Specify a name to identify the DNS proxy object (up to
31
characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location
Specify the virtual system to which the DNS proxy object applies:
  • Shared
    : Proxy applies to all virtual systems. If you choose
    Shared
    , the
    Server Profile
    field is not available. Instead, enter the
    Primary
    and
    Secondary
    DNS server IP addresses or address objects.
  • Select a virtual system to use this DNS proxy; you must configure a virtual system first. Select
    Device
    Virtual Systems
    , select a virtual system, and select a
    DNS Proxy
    .
Inheritance Source
(
Shared location only
)
Select a source from which to inherit default DNS server settings. This is commonly used in branch office deployments where the firewall's WAN interface is addressed by DHCP or PPPoE.
Check inheritance source status
(
Shared location only
)
Select to see the server settings that are currently assigned to the DHCP client and PPPoE client interfaces. These may include DNS, WINS, NTP, POP3, SMTP, or DNS suffix.
Primary/Secondary
(
Shared location only
)
Specify the IP addresses of the default primary and secondary DNS servers to which this firewall (as DNS proxy) sends DNS queries. If the primary DNS server cannot be found, the firewall uses the secondary DNS server.
Server Profile
(
Virtual System location only
)
Select or create a new DNS server profile. This field does not appear if the Location of virtual systems was specified as Shared.
Interface
Add
an interface to function as a DNS proxy. You can add multiple interfaces. To remove the DNS proxy from an interface, select and
Delete
it.
An interface is not required if the DNS Proxy is used only for service route functionality. Use a destination service route with a DNS proxy with no interface if you want the destination service route to set the source IP address. Otherwise, the DNS proxy selects an interface IP address to use as a source (when no DNS service routes are set).
Name
DNS Proxy
DNS Proxy Rules
A name is required so that an entry can be referenced and modified via the CLI.
Turn on caching of domains resolved by this mapping
Select to enable caching of domains that are resolved by this mapping.
Domain Name
Add
one or more domain names to which the firewall compares incoming FQDNs. If the FQDN matches one of the domains in the rule, the firewall forwards the query to the Primary/Secondary DNS server specified for this proxy. To delete a domain name from the rule, select it and click
Delete
.
DNS Server Profile
(
Shared location only
)
Select or add a DNS server profile to define DNS settings for the virtual system, including the primary and secondary DNS server to which the firewall sends domain name queries.
Primary/Secondary
(
Virtual System location only
)
Enter the hostname or IP address of the primary and secondary DNS servers to which the firewall sends matching domain name queries.
Name
DNS Proxy
Static Entries
Enter a name for the static entry.
FQDN
Enter the Fully Qualified Domain Name (FQDN) to map to the static IP addresses defined in the Address field.
Address
Add
one or more IP addresses that map to this domain. The firewall includes all of these addresses in its DNS response, and the client chooses which IP address to use. To delete an address, select the address and click
Delete
.
TCP Queries
DNS Proxy
Advanced
Select to enable DNS queries using TCP. Specify the maximum number of concurrent pending TCP DNS requests (
Max Pending Requests
) that the firewall will support (range is 64 to 256; default is 64).
UDP Queries Retries
DNS Proxy
Advanced
Specify settings for UDP query retries:
  • Interval
    —Time, in seconds, after which the DNS proxy sends another request if it hasn’t received a response (range is 1 to 30; default is 2).
  • Attempts
    —Maximum number of attempts (excluding the first attempt) after which the DNSP tries the next DNS server (range is 1 to 30; default is 5).
Cache
DNS Proxy
Advanced
You must have
Cache
enabled (enabled by default) if this DNS proxy object is used for queries that the firewall generates (that is, under
Device
Setup
Services
DNS
, or under
Device
Virtual Systems
and you select a virtual system and
General
DNS Proxy
). Then specify the following:
  • Enable TTL
    —Limit the length of time the firewall caches DNS entries for the proxy object. TTL is disabled by default. Then enter
    Time to Live (sec)
    —the number of seconds after which all cached entries for the proxy object are removed and new DNS requests must be resolved and cached again. Range is 60 to 86,400. There is no default TTL; entries remain until the firewall runs out of cache memory.
  • Cache EDNS Responses
    —You must enable Cache Extension Mechanisms for DNS (EDNS) Responses if this DNS proxy object is used for queries that the firewall generates. The firewall must be able to cache DNS responses in order for the queries for FQDN address objects to succeed.

Recommended For You