DNS Server Configuration Using DNS Settings
Use the DNS option to configure DNS server information. Before the security device can use DNS for domain name/address resolution, you must configure the address for the primary DNS server that the device should use.
Configuring DNS Settings
Specify the IP addresses for a Primary DNS server, Secondary DNS server, Tertiary DNS Server, Static Host, and specify refresh interval. You can configure the device to refresh all the entries in its DNS table by checking them with a specified DNS server at a specific time of day at regularly scheduled intervals. Alternatively, you can select Never Refresh to ensure that the device does not update its DNS table.
The device automatically attempts to refresh its DNS table after an HA failover occurs.
For more detailed explanation about configuring DNS on security devices, see the “Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide.
Configuring DNS Proxy
Use a DNS proxy to enable split DNS queries. The proxy selectively redirects the DNS queries to specific DNS servers according to partial or complete domain names. This is useful when VPN tunnels or PPPoE virtual links provide multiple network connectivity, and it is necessary to direct some DNS queries to one network, and other queries to another network.
You can configure DNS proxy for the root device in a vsys, but not for the individual vsys devices.
You can use DNS proxies to make domain lookups more efficient. For example, to reduce load on the corporate server, you can route DNS queries meant for the corporate domain to the corporate DNS server, while routing other DNS queries to the ISP DNS server. You can also use DNS proxy to transmit selected DNS queries through a tunnel interface, preventing malicious users from learning about internal network configuration.
To use a DNS proxy, perform the following:
Select DNS proxy on the device in the DNS Setting screen.
The Proxy screen is displayed.
Select DNS Proxy Instances in the DNS Proxy screen.
Select Enable in the DNS Proxy screen and set the following options:
To configure a DNS proxy to use a default DNS server, set the domain name as the asterisk character (*) for the default DNS proxy, and then select the “failover” option for all nondefault DNS proxies.