We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure DNS Interception

  • Last updated on

The DNS Interception feature intercepts and replaces DNS queries matching the configured patterns. You can also whitelist domains. Whitelisted domains always take precedence over the DNS Interception policies. Subdomains of intercepted domains must be explicitly added. They are not intercepted automatically. You must run a caching DNS server to use DNS interception.

Matching of Domains

Matching of domains can be done either to allow or to intercept DNS queries (whitelisting vs. blacklisting). If neither whitelisted nor blacklisted entries are configured, all queries are resolved. Because whitelisting entries are checked prior to blacklisting entries, queries that match whitelists are passed even in case a contradictory entry can be found in the blacklist.

In order to intercept access to domains, two types of domain entries can be matched:

  1. Single domain: Enter a domain name without any preceding characters, e.g., example.com
    Only the domain example.com will be verified for matching.
  2. Multiple subdomains: Enter a domain with a leading colon as prefix for the domain, e.g., .example.com
    All subdomains of example.com will be verified for matching, e.g., mail.example.com, www.example.com, ftp.example.com
    The domain example.com will not be verified.

DNS Interception Process

The DNS Interception feature handles DNS requests as follows:

  1. A host behind the firewall sends a DNS query to the DNS server.
  2. If the DNS request is for a domain that is whitelisted, the request is forwarded.
  3. If the DNS request is for a domain that is listed in the DNS Interception policy (blacklist), the firewall sends one of the following replies depending on the configured policy:

    • Blackhole (NXDOMAIN reply) – Returns a non-existent domain message (NXDOMAIN) to the client indicating that the requested hostname does not exist.

    • No Data – Returns the information that, although the domain exists, there is no IP (no data) assigned to it.

    • Return Other Domain (CNAME) – Returns the hostname that is specified in the policy settings.

    • Return IP Address – Returns the IP address that is specified in the policy settings.

Examples

In the following example, several (sub-)domains are configured in the whitelist and blacklist. The image illustrates which DNS queries from a client will be answered with valid IP addresses in order to connect to the appropriate site.

dns_interception.png

ActionDNS Resolving RequestNote
OKwww.example.comWill be forwarded because the subdomain is whitelisted.
OKftp.example.comWill be forwarded because the subdomain is whitelisted.
Xexample.comWill be blocked because the domain is blacklisted.
OKotherdomain.comWill be forwarded because the domain is not listed anywhere.
Xftp.otherdomain.comWill be blocked because it is blacklisted as part of the entry
.otherdomain.com (leading colon).

Before You Begin

Enable and configure DNS Caching.

Add Domains to the Whitelist

To add a domain to the DNS Interception whitelist:

  1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings. 
  2. From the left menu, select DNS Interception.
  3. Click Lock. 
  4. In the DNS Interception Exceptions section, click the plus sign (+).
  5. In the Whitelisted Domains window, enter the Matched Domain to be allowed.
  6. Click OK.
  7. Click Send Changes and Activate.

Add Domains to the DNS Interception Policy

To add a domain to the DNS Interception policy:

  1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
  2. From the left menu, select DNS Interception.
  3. Click Lock.
  4. In the DNS Interception Policy section, click the plus sign (+).
  5. In the Intercept Domains window, specify the following settings:
    • Matched Domain – Enter the domain to be intercepted. E.g., example.com.
      Wildcards or special characters are not allowed.
    • Action – Select how the intercepted queries are answered. Depending on which action you select, you might also have to specify these settings:
      • Returned IP – If you select the Return IP Address action, enter the IP address that is returned to the user.
      • Returned Domain – If you select the Return Other Domain (CNAME) action, enter the domain that the queries are redirected to. 
  6. Click OK
  7. Click Send Changes and Activate.
Last updated on