DNS Proxy Settings

Click Add and configure the firewall to act as a DNS proxy. You can configure a maximum of 256 DNS proxies on a firewall.
DNS Proxy Settings
Configured In
DNS Proxy
Select to enable this DNS proxy.
Specify a name to identify the DNS proxy object (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Specify the virtual system to which the DNS proxy object applies:
  • Shared: Proxy applies to all virtual systems. If you choose Shared, the Server Profile field is not available. Instead, enter the Primary and Secondary DNS server IP addresses or address objects.
  • Select a virtual system to use this DNS proxy; you must configure a virtual system first. Select DeviceVirtual Systems, select a virtual system, and select a DNS Proxy.
Inheritance Source
(Shared location only)
Select a source from which to inherit default DNS server settings. This is commonly used in branch office deployments where the firewall's WAN interface is addressed by DHCP or PPPoE.
Check inheritance source status
(Shared location only)
Select to see the server settings that are currently assigned to the DHCP client and PPPoE client interfaces. These may include DNS, WINS, NTP, POP3, SMTP, or DNS suffix.
(Shared location only)
Specify the IP addresses of the default primary and secondary DNS servers to which this firewall (as DNS proxy) sends DNS queries. If the primary DNS server cannot be found, the firewall uses the secondary DNS server.
Server Profile
(Virtual System location only)
Select or create a new DNS server profile. This field does not appear if the Location of virtual systems was specified as Shared.
Add an interface to function as a DNS proxy. You can add multiple interfaces. To remove the DNS proxy from an interface, select and Delete it.
An interface is not required if the DNS Proxy is used only for service route functionality. Use a destination service route with a DNS proxy with no interface if you want the destination service route to set the source IP address. Otherwise, the DNS proxy selects an interface IP address to use as a source (when no DNS service routes are set).
DNS ProxyDNS Proxy Rules
A name is required so that an entry can be referenced and modified via the CLI.
Turn on caching of domains resolved by this mapping
Select to enable caching of domains that are resolved by this mapping.
Domain Name
Add one or more domain names to which the firewall compares incoming FQDNs. If the FQDN matches one of the domains in the rule, the firewall forwards the query to the Primary/Secondary DNS server specified for this proxy. To delete a domain name from the rule, select it and click Delete.
DNS Server Profile
(Shared location only)
Select or add a DNS server profile to define DNS settings for the virtual system, including the primary and secondary DNS server to which the firewall sends domain name queries.
(Virtual System location only)
Enter the hostname or IP address of the primary and secondary DNS servers to which the firewall sends matching domain name queries.
DNS ProxyStatic Entries
Enter a name for the static entry.
Enter the Fully Qualified Domain Name (FQDN) to map to the static IP addresses defined in the Address field.
Add one or more IP addresses that map to this domain. The firewall includes all of these addresses in its DNS response, and the client chooses which IP address to use. To delete an address, select the address and click Delete.
TCP Queries
DNS ProxyAdvanced
Select to enable DNS queries using TCP. Specify the maximum number of concurrent pending TCP DNS requests (Max Pending Requests) that the firewall will support (range is 64-256; default is 64).
UDP Queries Retries
Specify settings for UDP query retries:
  • Interval—Time, in seconds, after which the DNS proxy sends another request if it hasn’t received a response (range is 1-30; default is 2).
  • Attempts—Maximum number of attempts (excluding the first attempt) after which the DNSP tries the next DNS server (range is 1-30; default is 5).
Select to enable the firewall to cache DNS entries (enabled by default) and specify the following:
  • Enable TTL—Limit the length of time the firewall caches DNS entries for the proxy object. TTL is disabled by default. Then enter Time to Live (sec)—the number of seconds after which all cached entries for the proxy object are removed and new DNS requests must be resolved and cached again. Range is 60-86,400. There is no default TTL; entries remain until the firewall runs out of cache memory.
  • Cache EDNS Responses—Select Cache Extension Mechanisms for DNS (EDNS) Responses if you want the firewall to cache partial DNS responses that are greater than 512 bytes. If a subsequent FQDN for the cached entry arrives, the firewall sends the partial DNS response.
Don’t select this if you want to send DNS responses greater than 512 bytes.

Related Documentation