The DNS caching service can also serve as a source for delivering information only about the authoritative name servers for a queried zone. The zone at this server must be obtained from another DNS server, the default primary DNS, that hosts the zone. A secondary stub zone requires a minimal zone transfer to obtain NS entries. Without this, the zone will not forward. This is important if TCP 53 or the zone transfer itself is blocked.
Step 1. Configure DNS Settings
- Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
- In the left menu, click DNS Settings.
- From the Configuration Mode menu, select Switch to Advanced View.
- Click Lock.
- Enter the Box DNS Domain that the CloudGen Firewall belongs to.
- In case there are entries in the DNS Server IP table, delete all entries.
- From the DNS Query Rotation list, select no.
Step 2. Configure the Caching DNS Service
Configure the Caching DNS Service for Queries of Forward Zones
- In the left menu, click Caching DNS Service.
- From the Run Forwarding/Caching DNS list, select yes.
From the Run DNS Forwarder list, select yes.
- From the Query Source Address list, select which IP address to use as source address when querying the DNS or primary DNS servers. You can select one of the following options:
- Wildcard (default) – IP selection is accounted for dynamically according to definitions in the routing table.
- VIP (managed firewalls only) – Uses the firewall's VIP IP address.
- MIP – Uses the system’s management IP address, which is the Main Box IP.
- Other – Select this check box to explicitly specify an IPv4 or IPv6 address.
In the DNS Query ACL table, add the single IPv4 / IPv6 addresses or netmasks that can access the DNS service via an app redirect access rule.
- If necessary, enable Log DNS Queries to log every DNS query.
- In the DNS Forwarding table:
- Click + and enter the Name of the domain the forward zone belongs to.
- Click OK. The DNS Forwarding configuration window opens.
- In the DNS Forwarder IP field, enter the IP address of the DNS server(s) that the DNS service queries for the domain.
- Click OK.
- Click Send Changes and Activate.
Configure the Caching DNS Service for Queries of Forwarding Stub Zones
- In the left menu, click Caching DNS Service.
From the Run Forwarding/Caching DNS list, select yes.
From the Run Secondary DNS list, select yes.
- From the Query Source Address list, select which IP address to use as source address when querying the DNS or primary DNS servers. You can select one of the following options:
- Wildcard (default) – IP selection is accounted for dynamically according to definitions in the routing table.
- VIP (managed firewalls only) – Uses the firewall's VIP IP address.
- MIP – Uses the system’s management IP address, which is the Main Box IP.
- Other – Select this check box to explicitly specify an IPv4 or IPv6 address.
In the DNS Query ACL table, add the single IPv4 / IPv6 addresses or netmasks that can access the DNS service via an app redirect access rule.
- If necessary, enable Log DNS Queries to log every DNS query.
- Click + to add all Default Primary DNS servers to the table.
- Click + to add a DNS Secondary Zone entry to serve as the stub zone.
- The DNS Secondary Zone window opens. Enter a name for the stub zone.
- Click OK.
- From the Active Zone list, select yes.
- From the Zone Type list, select Forward Lookup.
- From the Replication Mode list, select QueryForward.
- Click OK.
- Click Send Changes and Activate.