You are here: Cookbook > Getting Started > DNS Proxy

DNS Proxy

This example shows how to configure the DNS proxy function. By configuring flexible DNS proxy rules, users from different segments are assigned to different DNS servers for domain name resolution.

Scenario

A secondary ISP rents the bandwidth of telecom, netcom and other ISP to different users for Internet access. The telecom and netcom ISP have their own DNS servers. So the secondary ISP want to assign users of different network segments to the DNS servers of corresponding ISP for domain name resolution through DNS proxy devices.

This example simulates the export scenario of the above secondary ISP through the following configuration. Use eth0/1 (IP:101.0.0.1) of the device to connect to the telecom special line to access the Internet, and use eth0/2 (IP: 201.1.1.1) to connect to the netcom special line to access the Internet. In the public network, the DNS server of telecom is DNS1:102.1.1.1, and that of netcom is DNS2:202.1.1.1. Also, eth0/3, eth0/4 connect to the Intranet user groups. The administrator now has the following requirements:

  1. The DNS request of user group 1 (network segment: 192.168.10.1 / 28) is uniformly proxy to dns1 for domain name resolution;
  2. The DNS request of user group 2 (network segment: 172.168.10.1 / 24) is uniformly proxy to dns2 for domain name resolution;
  3. The DNS request of intranet server (172.168.10.88) is not restricted and bypassed directly.

Preparation

The basic interface and route configuration have been completed, and users can access the Internet normally.

Configuration Steps

Step 1:Configure a DNS proxy rules to proxy DNS requests of user group 1 to DNS1 for domain name resolution;

Login WebUI and select Network > DNS >DNS Proxy, and click New.

  • Ingress Interface: ethernet0/3;
  • Source Address: Configure a new address book 192.168.10.1/28
  • Destination Address: Any
  • Domain: any
  • Action: Proxy
  • DNS Proxy Failed: Block
  • DNS Server:

    • IP Address: 102.1.1.1
    • Virtual Router: trust-vr
    • Egress Interface:etherent0/1
Step 2: Configure another DNS proxy rule to uniformly proxy DNS requests of user group 2 to DNS2 for domain name resolution.

Continue to configure another rule. Select Network > DNS >DNS Proxy, and click New.

  • Ingress Interface: ethernet0/4;
  • Source Address: Configure a new address book 172.168.10.1/24
  • Destination Address: Any
  • Domain: any
  • Action: Proxy
  • DNS Proxy Failed: Block
  • DNS Server:

    • IP Address: 202.1.1.1
    • Virtual Router: trust-vr
    • Egress Interface:etherent0/2
Step 3: Configure one more DNS proxy rule to release DNS requests from the Intranet server (172.168.10.88) directly.

Continue to configure one more rule. Select Network > DNS >DNS Proxy, and click New.

  • Ingress Interface: ethernet0/4;
  • Source Address: Configure a new address book 172.168.10.88/32
  • Destination Address: Any
  • Domain: any
  • Action: Bypass

(Optional)In addition to creating a new address rule, the following methods can also be used to bypass the DNS requests from intranet servers. Select Object > Address Book,and select the “172.168.10.1/24”item, and click Edit to add the IP address of intranet server to the Exclude Member.

  • Exclude Member: 172.168.10.88
Step 4: Adjust the priority of DNS proxy rules.
After the above steps, you will get three DNS proxy rules. Because the DNS proxy rules match from top to bottom, so the DNS rules for releasing the Intranet server should be placed on top of the other two. When configuring, select the corresponding rule item and click Priorityto adjust.
Step 5:Results

After configuration, capture packets on eth0 / 1 and eth0 / 2 interfaces. The results are as follows:

  • The users of 192.168.10.1/28 network segment in user group 1 can still access the Internet normally, and their DNS requests will be sent to the DNS1 server of Telecom for domain name resolution through the device.
  • The uesrs of 172.168.10.1/24 network segment in user group 2 can still access the Internet normally, and DNS requests will be sent to the DNS2 server of Netcom for domain name resolution.
  • The DNS request of the internal server 172.168.10.88 will not be proxy through the device, but will be resolved according to the DNS server set by itself.

Q&A

  • Q:What is the order and manner of matching multiple DNS proxy rules?
    A:The device will query for DNS proxy rules by turns from up to down. In each rule, only if all matching conditions are met can the matching be successful.
  • Q:When multiple DNS servers are configured in a DNS proxy rule, what is the priority of preferred and bound out interface properties?
    A:When you configure multiple DNS servers, the DNS server with preferred property will be selected for domain name resolution. If no preferred server is specified, the system will query whether there are DNS servers that have specified the egress interface.
  • Q:Can DNS proxy for specific domain names?
    A:Yes, you can configure a specific domain name in the option "Domain Name", and then configure the proxy action and the corresponding DNS server when creating a new rule.