Name server DNS forwarding

Configuration of a name server with DNS forwarding

Last adaptation to the version: 14.1.0 (08.2025)

New:

If there is a Cloud Shield configuration via the USC, no DNS forwarding can be configured locally

DNS over TLS (DoT) possible

notempty

This article refers to a Beta version

12.6.1 12.4 12.2.3 11.7 11.6.11

DNS Forwarding

A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.

Cloud Shield Cloud Shield notempty New as of v14.1.0
If a Cloud Shield configuration is available via the USP (Unified Security Portal), a ‘’'configuration of ‘'DNS Forwarding’ on the UTM itself is not possible' The settings from the USP are displayed, but can only be changed here https://portal.securepoint.cloud Unified Security Console UTM Profile / Select profile Tab Cloud Shield Options Activate Cloud Shield or /li> Option Allow Fallback DNS activate or deactivate The section on the UTM is deactivated			Nameserver UTMuser@firewall.name.fqdnApplication 42 Cloud Shield configuration available in the USP

DNS Forwarding
Add DNS Forwarding Add DNS Forwarding Menu Applications Nameserver Area DNS Forwarding button + Add DNS Forwarding
Caption	Value	Description	Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver Creating a DNS Forwarding
Type:	DNSDoT	DNS: classic unencrypted DNS-resolution
IP address:	203.0.113.113	IP address of a DNS server to which the DNS requests should be forwarded.

notempty New as of v14.0
Type:	DNSDoT	DoT: DNS over TLS DNS queries are encrypted with TLS	Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver DNS over TLS notempty New as of v14.0
IP address:	1.1.1.1 Example value	IP address of a DNS server to which the DNS requests should be forwarded.
Hostname	cloudflare-dns.com Example value	The hostname is required fot thr verification of the TLS certificate
		Saves the entry

Provider-DNS Provider-DNS
Use the provider's DNS server	Off	When On is activated, the DNS server of the internet provider is used	Nameserver UTMuser@firewall.name.fqdnApplication
If a TLS-Forwarder (DoT) is configured, DNS Forwarder will not be used			Nameserver UTMuser@firewall.name.fqdnApplication

Domain forwarding through a VPN tunnel

Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.

It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.

Set the name server of the firewall

Caption	Value	Description	Server settings UTMuser@firewall.name.fqdnNetwork Name server IP
Check name server before local cache:	Yes	Should be enabled
Primary name server:	127.0.0.1	The IP of the UTM itself (localhost=127.0.0.1)
Secondary name server:		Can remain empty or designate another DNS in the VPN
		Saves the entry

Create relay

notempty

For this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way.

Menu Applications Name server Area Zones button + Add Relay-Zone.

Caption	Value	Description	Add relay zone UTMuser@firewall.name.fqdnApplicationNameserver Creating the relay zone
Zone name:	relay.test.local	Zone name of the desired domain
Type::	Relay	Select this type
IP address:	192.168.8.5	Click on Add server and in the IP address field the address of the remote name server is entered Edit the entry trash Delete the entry
		Saves the entry

Create network object

Menu Firewall Network Objects button + Add Object. A network object must be created for the IPSec network.

Caption	Value	Description	Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork object Network object
Name:	IPSec-Network	Choose unique name
Type::	VPN network	Select this type
Address:	192.168.8.0/24	The IP address corresponds to that of the IPSec network
Zone:	vpn-ipsec	Suitable zone must be selected
		Saves the entry

Add Rule

In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
Menu Firewall Packetfilter button + Add Rule.

Caption	Value	Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter
Aktive:	On
Source:	external-interface
Destination:	IPSec-Netzwerk
Service:	domain-udp
[-] NAT
Type::	HIDENAT
Network object:	internal-interface
	Saves the rule and closes the dialogue. The rules must then be updated.

Safe Search with external DHCP server

If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
Menu Applications Nameserver button + Add Forward Zone.

Caption	Value	Zone bearbeiten UTMuser@firewall.name.fqdnApplicationNameserver The forward zone set up for www.google.com
Zone name:	www.google.com
Name server hostname:	localhost
Name server IP address:
In the Name server window, click in the www.google.de zone. In the Edit Zone window click Add entry.
Name:	www.google.com
Type::	A
Value:	216.239.38.120
Save and click again on Add entry.
Name:	www.google.com
Type::	AAAA
Value:	2001:4860:4802:32::78
	Saves the entry