You are here: Webhelp 5.5R7 > Network > DNS

DNS

DNS, the abbreviation for Domain Name System, is a computer and network service naming system in form of domain hierarchy. DNS is designed for TCP/IP network to query for Internet domain names (e.g., www.xxxx.com) and translate them into IP addresses (e.g., 10.1.1.1) to locate related computers and services.

The security device's DNS provides the following functions:

  • Server: Configures DNS servers and default domain names for the security device.
  • Proxy:As a DNS proxy, the device can filter the DNS request according to the DNS proxy rules set by the user, and system will forwarded the qualified DNS request to the designated DNS server.

  • Analysis: Sets retry times and timeout for device's DNS service.

  • Cache: DNS mappings to cache can speed up query. You can create, edit and delete DNS mappings.

  • NBT Cache: Displays NBT cache information.

Configuring a DNS Server

You can configure a DNS server for system to implement DNS resolution. To create a DNS server, take the following steps:

  1. Select Network > DNS > DNS Server.
  2. Click New in the DNS Server section.
  3. In the DNS Server Configuration dialog, type the IP address for the DNS server into the Server IP box.

  4. Select a VRouter from the VR drop-down list. The default VRouter is trust-vr.

  5. Click OK.

Configuring a DNS Proxy

DNS Proxy function take effect by the DNS proxy rules.Generally a proxy rule consists of two parts: filtering condition and action. You can set the filtering condition by specifying traffic's ingress interface , source address, destination address, and domain name. The action of the DNS proxy rules includes proxy,bypass and block. When the action of the proxy rule is specified as proxy, you need to configure the DNS proxy servers, so that the DNS request meeting the filtering condition will be resolved by these DNS proxy servers.

Configuring a DNS Proxy Rule

To create a DNS proxy rule, take the following steps:

  1. Select Network > DNS > DNS Proxy.
  2. Click New in the DNS Proxy section.

  3. In the <DNS Proxy Rule Configuration> dialog, configure the following settings.

    Option Description
    Description Add the description.
    Type Specify the type of a DNS proxy rule, IPv4 or IPv6.

    Ingress Interface

    Specify the ingress interface of DNS request in the rule to filter the DNS request message.It is permissible to specify numbers of interfaces.
    Source Address

    Specify the source address of DNS request to filter the DNS request message. It is permissible to specify multiple source address filtering conditions. Select the address entry type and then type the address. Click Add to add the selected entry to the pane.

    1. Select an address type from the Address drop-down list.
    2. Select or type the source addresses based on the selected type.
    3. Click to add the addresses to the right pane.
    4. After adding the desired addresses, click the blank area in this dialog box to complete the source address configuration.

    You can also perform other operations:

    • When selecting the Address Book type, you can click Add to create a new address entry.
    • When selecting the IPv4 type, the default address configuration is any. To restore the configuration to this default one, select the any check box.
    • When selecting the IPv6 type, the default address configuration is IPv6-any. To restore the configuration to this default one, select the IPv6-any check box.
    Destination Address

    Specify the destination address of DNS request to filter the DNS request message. It is permissible to specify multiple destination address filtering conditions. Select the address entry type and then type the address. Click Add to add the selected entry to the pane.

    1. Select an address type from the Address drop-down list.
    2. Select or type the destination addresses based on the selected type.
    3. Click to add the addresses to the right pane.
    4. After adding the desired addresses, click the blank area in this dialog box to complete the destination address configuration.

    You can also perform other operations:

    • When selecting the Address Book type, you can click Add to create a new address entry.
    • When selecting the IPv4 type, the default address configuration is any. To restore the configuration to this default one, select the any check box.
    • When selecting the IPv6 type, the default address configuration is IPv6-any. To restore the configuration to this default one, select the IPv6-any check box
    Domain Specify the domain name of DNS request to filter the DNS request message. It is permissible to specify multiple domain name filtering conditions

    Select the domain entry type and then type the domain. Click Add to add the selected entry to the pane.

    1. Select an address type from the Domain drop-down list.
    2. Select or type the domain name.
    3. Click to add the domain to the right pane.
    4. After adding the desired domain, click the blank area in this dialog box to complete the domain configuration.

    You can also perform other operations:

    • When selecting the Host Book type, you can click Add to create a new host book entry.
    • The default domain configuration is any. To restore the configuration to this default one, select the any check box.
    Action Specify the action for a DNS proxy rule. For the DNS request that meets the filtering conditions, system can proxy, bypass or block the traffic.
    DNS Proxy Failed Specify the action for DNS proxy failed. System can block or bypass the DNS request and then forward it to the DNS server originally requested by the message.
    DNS Server

    Specify the DNS proxy server. When the action of the proxy rule is specified as proxy, you need to configure the DNS proxy servers. You can specify up to six DNS server and you can configure the interface and preferred properties for the DNS server as needed. When you configure multiple DNS servers, the DNS server with preferred property will be selected for domain name resolution. If no preferred server is specified, the system will query whether there are DNS servers that have specified the egress interface; If so, select these DNS server in a round robin. Except for these two kinds of DNS servers, which means that there are only regular DNS server, then system will select this kind of DNS servers in a round robin.

    At the bottom of the DNS server list, click the "+" button, and a table entry will be added. Enter the IP address (IPv4 address or IPv6 address) of server and other parameters ,such as the virtual router.

    DNS64

    If the IPv6 client host receives the DNS query request, it will use DNS64 to resolve the AAAA record (IPv6 address) in the DNS query information. If the resolution is successful, the IPv6 address is directly returned to the client. If the resolution fails, it will use DNS64 to resolve the A record (IPv4 address) in the DNS query information, and return the A record (IPv4 address) to the AAAA record (IPv6 address) to the client.

    Select the Enable check box to enable the DNS64 function. By default, the DNS64 function is disabled.

    DNS64 Server

    The DNS64 server is used to resolve the A record (IPv4 address) in the DNS query information. Each IPv6 DNS proxy rule can specify up to 6 DNS64 servers.

    DNS64 Prefix: Specifies the DNS64 prefix and prefix length. The DNS64 prefix to synthesize the A record (IPv4 address) into an AAAA record (IPv6 address). The synthesized IPv6 address is in the form of "DNS64 prefix + IPv4 address". By default, the DNS64 prefix is "64:ff9b:: /96".

    At the bottom of the DNS64 server list, click the "+" button, and a table entry will be added. Enter the IP address (IPv4 address) of server and other parameters ,such as the virtual router.

  4. Click OK.

Enabling/Disabling a DNS Proxy Rule

DNS proxy rule is enabled by default. To disable or enable the function, take the following steps:

  1. Select Network > DNS > DNS Proxy.
  2. Select the rule that you want to enable/disable.
  3. Click Enable or Disable to enable or disable the rule.

Adjusting DNS Proxy Rule Position

To adjust the rule position, take the following steps:

  1. Select Network > DNS > DNS Proxy.

  2. Select the check box of the security policy whose position will be adjusted.

  3. Click Priority.
  4. In the pop-up menu, type the rule ID or name , and click Before ID , After ID , Before Name or After Name. Then the rule will be moved before or after the specified ID or name.

DNS Proxy Global Configuration

To set the DNS proxy global configuration, take the following steps:

  1. Select Network > DNS > DNS Proxy.
  2. Click DNS Proxy Global Configuration in the DNS Proxy section.

  3. In the <DNS Proxy Global Configuration> dialog, configure the following settings.
  4. Option

    Description

    TTL Enable and specifies the TTL for DNS-proxy’s response packets. If the DNS-proxy requests are not responded after the TTL, the DNS client will clear all DNS records. The value range is 30 to 600 seconds. The default value is 60.
    Server Track

    Enable the DNS proxy server track and configure the time interval of tracking for DNS proxy server. System will periodically detect the DNS proxy server at a specific time interval. When the server cannot be tracked, the IP address of server will be removed from the DNS resolution list untill the link is restored. By default, the tracking for DNS proxy server is enabled.

    UDP Checksum Click the checkbox to enable/disable calculating the checksum of UDP packet for DNS proxy. The system will calculate the checksum of UDP packet for DNS proxy when the DNS proxy on interfaces is enabled. If you need to improve the performance of the device, you can disable this function.
  5. Click OK.

Configuring an Analysis

Analysis configuration includes DNS requests' retry times and timeout.

  • Retry: If there is no response from the DNS server after the timeout, system will send the request again; if there is still no response from the DNS server after the specified retry times (i.e. the number of times to repeat the DNS request), system will send the request to the next DNS server.

  • Timeout: System will wait for the DNS server's response after sending the DNS request and will send the request again if no response returns after a specified time. The period of waiting for a response is known as timeout.

To configure the retry times and timeout for DNS requests, take the following steps:

  1. Select Network > DNS > Analysis
  2. Select the retry times radio button.
  3. Select the timeout values radio button.
  4. Click Apply.

Configuring a DNS Cache

When using DNS, system might store the DNS mappings to its cache to speed up the query. There are three ways to obtain DNS mappings:

  • Dynamic: Obtains from DNS response.

  • Static: Adds DNS mappings to cache manually.

  • Register: DNS hosts specified by some modules of security devices, such as NTP, AAA, etc.

For convenient management , DNS static cache supports group function, which means users make the multiple domain hosts with the same IP address and virtual router is a DNS static cache group.

To add a static DNS mapping to cache, take the following steps:

  1. Select Network > DNS > Cache
  2. Click New.

    Option

    Description

    Hostname Specify the hostname of a DNS cache group. You can click to add or click button to delete the specified hostname. The maximum number of domain hosts is 128, and the maximum length of each hostname is 255 characters.
    IP Specify the host IPv4 address of a DNS cache group. You can click to add or click button to delete the specified IP. The maximum number of host IP address is 8, and the earlier configured IP will be matched first.
    Virtual Router Select a VRouter.
  3. Click OK.


  • Only DNS static cache group can support new, edit and delete operation , while dynamic and register cache cannot .
  • The DNS dynamic cache can be deleted by command or the lifetime reset. For detailed information , refer to StoneOS CLI User Guide and download PDF on website.
  • User can clear the register cache only by deleting the defined hosts in function module.
  • DNS static cache is superior to dynamic and register cache, which means the static cache will cover the same existed dynamic or register cache.

NBT Cache

System supports NetBIOS name resolution. With this function enabled, system can automatically obtain all the NetBIOS host names registered by the hosts within the managed network, and store them in the cache to provide IP address to NetBIOS host name query service for other modules.

Enabling a NetBIOS name resolver is the pre-requisition for displaying host names in NAT logs. For more information on how to display host names in the NAT logs, see Log Configuration.

To enable NetBIOS for a zone, select the NBT cache check box when creating or editing the zone. For more details, see Security Zone. The security zone with NetBIOS enabled should not be the zone that is connected to WAN. After NetBIOS is enabled, the query process might last for a while, and the query result will be added to the NetBIOS cache table. System will perform the query again periodically and update the result.

Only when PCs have NetBIOS enabled can their host names be queried. For more information on how to enable NetBIOS, see the detailed instructions of your PC's Operating System.

To clear NBT cache, take the following steps:

  1. Select Network > DNS > NBT Cache.
  2. Select a VRouter from the VR drop-down list to display the NBT cache in that VRouter.
  3. Select a NBT cache entry from the list and click Delete.