Configure a DNS Proxy Object

If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy Object. The proxy object can either be shared among all virtual systems or applied to a specific virtual system.
When the firewall is enabled to act as a DNS proxy, evasion signatures that detected crafted HTTP or TLS requests can alert to instances where a client connects to a domain other than the domains specified in the original DNS query. As a best practice, Enable Evasion Signatures after configuring DNS proxy to trigger an alert if crafted requests are detected.
  1. Configure the basic settings for a DNS Proxy object.
    1. Select NetworkDNS Proxy and Add a new object.
    2. Verify that Enable is selected.
    3. Enter a Name for the object.
    4. For Location, select the virtual system to which the object applies. If you select Shared, you must specify at least a Primary DNS server address, and optionally a Secondary address.
    5. If you selected a virtual system, for Server Profile, select a DNS Server profile or else click DNS Server Profile to configure a new profile. See Configure a DNS Server Profile.
    6. For Inheritance Source, select a source from which to inherit default DNS server settings. The default is None.
    7. For Interface, click Add and specify the interfaces to which the DNS Proxy object applies.
      • If you use the DNS Proxy object for performing DNS lookups, an interface is required. The firewall will listen for DNS requests on this interface, and then proxy them.
      • If you use the DNS Proxy object for a service route, the interface is optional.
  2. (Optional) Specify DNS Proxy rules.
    1. On the DNS Proxy Rules tab, Add a Name for the rule.
    2. Turn on caching of domains resolved by this mapping if you want the firewall to cache the resolved domains.
    3. For Domain Name, Add one or more domains, one entry per row, to which the firewall compares FQDN queries. If a query matches one of the domains in the rule, the query is sent to one of the following servers to be resolved (depending on what you configured in the prior step):
      • The Primary or Secondary DNS Server directly specified for this proxy object.
      • The Primary or Secondary DNS Server specified in the DNS Server profile for this proxy object.
      DNS Proxy Rule and FQDN Matching describes how the firewall matches domain names in an FQDN to a DNS proxy rule. If no match is found, default DNS servers resolve the query.
    4. Do one of the following, depending on what you set the Location to:
      • If you chose a virtual system, select a DNS Server profile.
      • If you chose Shared, enter a Primary and optionally a Secondary address.
    5. Click OK.
  3. (Optional) Supply the DNS Proxy with static FQDN-to-address entries. Static DNS entries allow the firewall to resolve the FQDN to an IP address without sending a query to the DNS server.
    1. On the Static Entries tab, Add a Name.
    2. Enter the Fully Qualified Domain Name (FQDN).
    3. For Address, Add the IP address to which the FQDN should be mapped.
      You can provide additional IP addresses for an entry. The firewall will provide all of the IP addresses in its DNS response and the client chooses which address to use.
    4. Click OK.
  4. (Optional) Enable caching and configure other advanced settings for the DNS Proxy.
    1. On the Advanced tab, select TCP Queries to enable DNS queries using TCP.
      • Max Pending Requests—Enter the maximum number of concurrent, pending TCP DNS requests that the firewall will support (range is 64-256; default is 64).
    2. For UDP Queries Retries, enter:
      • Interval (sec)—The length of time (in seconds) after which another request is sent if no response has been received (range is 1-30; default is 2).
      • Attempts—The maximum number of UDP query attempts (excluding the first attempt) after which the next DNS server is queried (range is 1-30; default is 5.)
    3. Select Cache to enable the firewall to cache FQDN-to-address mappings that it learns.
      • Select Enable TTL to limit the length of time the firewall caches DNS resolution entries for the proxy object. Disabled by default.
        • Enter Time to Live (sec), the number of seconds after which all cached entries for the proxy object are removed. After the entries are removed, new DNS requests must be resolved and cached again. Range is 60-86,400. There is no default TTL; entries remain until the firewall runs out of cache memory.
      • Cache EDNS Responses—Select this if you want the firewall to cache partial DNS responses that are greater than 512 bytes. If a subsequent FQDN for a cached entry arrives, the firewall sends the partial DNS response. If you want full DNS responses (greater than 512 bytes), don’t select this option.
  5. Commit your changes.
    Click OK and Commit.

Related Documentation