Jump to:navigation, search
Wiki

Name server DNS forwarding

From Securepoint Wiki





































{{var | Nameserver der Firewall festlegen--desc

| Menü Network Appliance Settings  Area Servereinstellungen Abschnitt {{b|
DNS-Server
. | Menu Network Server Settings  Area Server Settings section
DNS-Server
.






































De.png
En.png
Fr.png









Configuration of a name server with DNS forwarding

Last adaptation to the version: 14.0.0

New:
notempty
This article refers to a Resellerpreview
Access: Applications Nameserver  Area DNS Forwarding


DNS Forwarding

DNS Forwarding

A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.


Add DNS Forwarding

Add DNS Forwarding

Menu Applications Nameserver  Area DNS Forwarding Button + Add DNS Forwarding

Caption Value Description Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver UTM v14.0 Anwendungen Nameserver DNS Forwarding hinzufügen DNS-en.pngCreating a DNS Forwarding
Type: DNSDoT DNS: classic unencrypted DNS-resolution
IP address: 203.0.113.113 IP address of a DNS server to which the DNS requests should be forwarded.
notempty
New as of v14.0
Type: DNSDoT DoT: DNS over TLS DNS queries are encrypted with TLS Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver UTM v14.0 Anwendungen Nameserver DNS Forwarding hinzufügen DoT-en.png DNS over TLS notempty
New as of v14.0
IP address: 1.1.1.1
Example value		 IP address of a DNS server to which the DNS requests should be forwarded.
Hostname cloudflare-dns.com
Example value		 The hostname is required fot thr verification of the TLS certificate
Saves the entry

Provider-DNS

Provider-DNS
Use the provider's DNS server Off When On is activated, the DNS server of the internet provider is used Nameserver UTMuser@firewall.name.fqdnApplication UTM v14.0 Nameserver DNS Forwarding Provider-DNS.png

In previous versions, this option was located in the General Settings

  • If a TLS-Forwarder (DoT) is configured, DNS Forwarder will not be used

    • Domain forwarding through a VPN tunnel

    Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.

    It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.


    Set the name server of the firewall

    Caption Value Description Server settings UTMuser@firewall.name.fqdnNetwork UTM v12.6.0 Netzwerk Servereinstellungen DNS Server-en.pngName server IP
    Check name server before local cache: Yes Should be enabled
    Primary name server: 127.0.0.1 The IP of the UTM itself (localhost=127.0.0.1)
    Secondary name server:     Can remain empty or designate another DNS in the VPN
    		Saves the entry


    Create relay

    notempty
    For this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way.

    Menü Menu Applications Name server  Area Zones Button + Add Relay-Zone.

    Caption Value Description Add relay zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6.0 Anwendungen Nameserver Relay Zone hinzufügen-en.pngCreating the relay zone
    Zone name: relay.test.local Zone name of the desired domain
    Type:: Relay Select this type
    IP address: 192.168.8.5 Click on Add server and in the IP address field the address of the remote name server is entered


    Edit the entry
    trash Delete the entry

    		Saves the entry


    Create network object

    Menu Firewall Network Objects  Button + Add Object. A network object must be created for the IPSec network.

    Caption Value Description Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork object UTM v12.6.0 Netzwerkobjekt DNS Forwarding-en.pngNetwork object
    Name: IPSec-Network Choose unique name
    Type:: VPN network Select this type
    Address: 192.168.8.0/24 The IP address corresponds to that of the IPSec network
    Zone: vpn-ipsec Suitable zone must be selected
    		Saves the entry


    Add Rule

    In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
    Menu Firewall Packetfilter  Button + Add Rule.

    Caption Value Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter UTM v12.6.0 Paketfilterregel DNS Forwarding-en.png
    Aktive: On
    Source: Interface.svg external-interface
    Destination: Vpn-network.svg IPSec-Netzwerk
    Service: Udp.svg domain-udp

    [-] NAT
    Type:: HIDENAT
    Network object: Interface.svg internal-interface
    		Saves the rule and closes the dialogue. The rules must then be updated.


    Safe Search with external DHCP server

    If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
    In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
    Menu Applications Nameserver  Button + Add Forward Zone.

    Caption Value Zone bearbeiten UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6.0 Anwendungen Nameserver Zone bearbeiten-en.pngThe forward zone set up for www.google.com
    Zone name: www.google.com
    Name server hostname: localhost
    Name server IP address:    
    In the Name server window, click in the www.google.de zone.
    In the Edit Zone window click Add entry.
    Name: www.google.com
    Type:: A
    Value: 216.239.38.120
    Save and click again on Add entry.
    Name: www.google.com
    Type:: AAAA
    Value: 2001:4860:4802:32::78
    		Saves the entry
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Nameserver-DNS_Forwarding&oldid=95060"