notempty Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!
notempty Der Artikel für die neueste Version steht hier
notempty Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht
Last adaptation to the version: 12.6.1
- Updated to Redesign of the webinterface
notemptyThis article refers to a Beta version
DNS Forwarding
A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.
Add DNS Forwarding
Menu Area DNS Forwarding button
| Caption | Value | Description | UTMuser@firewall.name.fqdnApplicationsNameserver  Creating a DNS Forwarding
|
|---|---|---|---|
| IP address: | 192.168.175.2 | Click on and in the IP address field the address of the remote name server is entered
| |
| Saves the entry | |||
Domain forwarding through a VPN tunnel
Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.
It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.
Set the name server of the firewall
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetwork  Name server IP
|
|---|---|---|---|
| Check name server before local cache: | Yes | Should be enabled | |
| Primary name server: | 127.0.0.1 | The IP of the UTM itself (localhost=127.0.0.1) | |
| Secondary name server: | Can remain empty or designate another DNS in the VPN | ||
| Saves the entry | |||
Create relay
notemptyFor this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way. Menü Menu Area Zones button .
| Caption | Value | Description | UTMuser@firewall.name.fqdnApplicationsNameserver  Creating the relay zone
|
|---|---|---|---|
| Zone name: | relay.test.local | Zone name of the desired domain | |
| Type: | Select this type | ||
| IP address: | 192.168.8.5 | Click on and in the IP address field the address of the remote name server is entered
| |
| Saves the entry | |||
Create network object
Menu button . A network object must be created for the IPSec network.
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork object  Network object
|
|---|---|---|---|
| Name: | IPSec-Network | Choose unique name | |
| Type: | Select this type | ||
| Address: | 192.168.8.0/24 | The IP address corresponds to that of the IPSec network | |
| Zone: | Suitable zone must be selected | ||
| Saves the entry | |||
Add Rule
In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
Menu button .
| Caption | Value | UTMuser@firewall.name.fqdnFirewallPacketfilter 
|
|---|---|---|
| Aktive: | On | |
| Source: |  external-interface
| |
| Destination: |  IPSec-Netzwerk
| |
| Service: |  domain-udp
| |
[-] NAT
| ||
| Type: | ||
| Network object: | internal-interface
| |
| Saves the rule and closes the dialogue. The rules must then be updated. | ||
Safe Search with external DHCP server
If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
Menu button .
| Caption | Value | UTMuser@firewall.name.fqdnApplicationsNameserver  The forward zone set up for www.google.com
|
|---|---|---|
| Zone name: | www.google.com | |
| Name server hostname: | localhost | |
| Name server IP address: | ||
| In the Name server window, click in the www.google.de zone. In the Edit Zone window click . | ||
| Name: | www.google.com | |
| Type: | A | |
| Value: | 216.239.38.120 | |
| and click again on . | ||
| Name: | www.google.com | |
| Type: | AAAA | |
| Value: | 2001:4860:4802:32::78 | |
| Saves the entry | ||