DNS Server

From Edge Threat Management Wiki - Arista
Revision as of 16:39, 3 May 2022 by Græmer (talk | contribs) (→‎DNS Server)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

The DNS Server settings configure the DNS server running on the NG Firewall server. These settings do NOT affect any DNS traffic passing through NG Firewall, only DNS traffic to the NG Firewall server.

It is not required to use the DNS server on NG Firewall, however it is often desired on small networks because the NG Firewall server will cache DNS for the entire network. If NG Firewall is configured 'as a router' where it is providing DHCP to clients on the internal network, the default is to provide the NG Firewall server as the DNS server.

Static DNS Entries

Static DNS Entries are entries that will always resolve to the address provided. Often this is useful for servers hosted internally. For example, if your mail server is local you can add a static entry for mail.mycompany.com to its internal IP (like 192.168.1.20). This means machines using NG Firewall for DNS will resolve this hostname to the internal IP and communicate with it directly.

Domain DNS Servers

Often certain domain need to be resolved using certain DNS servers instead of the DNS servers configured on the WAN interfaces. For example you may want all queries to "*.mycompany.local" to go to the local DNS server for resolution. Domain DNS Servers allow you to specify that all queries matching domain go to the specified server. For example, if all *.example.com queries should go to 192.168.1.20, then you can add an entry for Domain = example.com with Local Server = 192.168.1.20.

In this scenario, the NG Firewall and all those using the NG Firewall for DNS resolution will have the matching queries resolved through the specified server. For example, If someone using the NG Firewall server for DNS resolves aaa.example.com this DNS query will be forwarded to 192.168.1.20 instead of NG Firewall's upstream DNS servers configured in the WAN interface settings.

This can also be used to tell NGFW how to do reverse DNS lookups using in-addr.arpa as the domain. For example if you wish 172.16.*.* reverse DNS queries to go to 192.168.1.10, then set the Domain of "16.172.in-addr.arpa" and the Local Server of "192.168.1.10". If you wish for 10.*.*.* reverse DNS queries to go to "1.2.3.4" then set the Domain to "10.in-addr.arpa" and the Local Server of "1.2.3.4".