Jump to:navigation, search
Wiki

Name server DNS forwarding

From Securepoint Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht



































{{var | Nameserver der Firewall festlegen--desc

| Menü Network Appliance Settings  Area Servereinstellungen Abschnitt {{b|
DNS-Server
. | Menu Network Server Settings  Area Server Settings section
DNS-Server
.














































Configuration of a name server with DNS forwarding

Last adaptation to the version: 14.0.0(11.2024)

New:
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Applications Nameserver  Area DNS Forwarding


DNS Forwarding

DNS Forwarding

A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.


Add DNS Forwarding

Add DNS Forwarding

Menu Applications Nameserver  Area DNS Forwarding button + Add DNS Forwarding

Caption Value Description Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver Creating a DNS Forwarding
Type: DNSDoT DNS: classic unencrypted DNS-resolution
IP address: 203.0.113.113 IP address of a DNS server to which the DNS requests should be forwarded.
notempty
New as of v14.0
Type: DNSDoT DoT: DNS over TLS DNS queries are encrypted with TLS Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver DNS over TLS notempty
New as of v14.0
IP address: 1.1.1.1
Example value		 IP address of a DNS server to which the DNS requests should be forwarded.
Hostname cloudflare-dns.com
Example value		 The hostname is required fot thr verification of the TLS certificate
Saves the entry

Provider-DNS

Provider-DNS
Use the provider's DNS server Off When On is activated, the DNS server of the internet provider is used Nameserver UTMuser@firewall.name.fqdnApplication

In previous versions, this option was located in the General Settings

  • If a TLS-Forwarder (DoT) is configured, DNS Forwarder will not be used

    • Domain forwarding through a VPN tunnel

    Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.

    It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.


    Set the name server of the firewall

    Caption Value Description Server settings UTMuser@firewall.name.fqdnNetwork Name server IP
    Check name server before local cache: Yes Should be enabled
    Primary name server: 127.0.0.1 The IP of the UTM itself (localhost=127.0.0.1)
    Secondary name server:     Can remain empty or designate another DNS in the VPN
    Saves the entry


    Create relay

    notempty
    For this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way.

    Menu Applications Name server  Area Zones button + Add Relay-Zone.

    Caption Value Description Add relay zone UTMuser@firewall.name.fqdnApplicationNameserver Creating the relay zone
    Zone name: relay.test.local Zone name of the desired domain
    Type:: Relay Select this type
    IP address: 192.168.8.5 Click on Add server and in the IP address field the address of the remote name server is entered


    Edit the entry
    trash Delete the entry

    Saves the entry


    Create network object

    Menu Firewall Network Objects  button + Add Object. A network object must be created for the IPSec network.

    Caption Value Description Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork object Network object
    Name: IPSec-Network Choose unique name
    Type:: VPN network Select this type
    Address: 192.168.8.0/24 The IP address corresponds to that of the IPSec network
    Zone: vpn-ipsec Suitable zone must be selected
    Saves the entry


    Add Rule

    In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
    Menu Firewall Packetfilter  button + Add Rule.

    Caption Value Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter
    Aktive: On
    Source:  external-interface
    Destination:  IPSec-Netzwerk
    Service:  domain-udp

    [-] NAT
    Type:: HIDENAT
    Network object:  internal-interface
    Saves the rule and closes the dialogue. The rules must then be updated.


    Safe Search with external DHCP server

    If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
    In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
    Menu Applications Nameserver  button + Add Forward Zone.

    Caption Value Zone bearbeiten UTMuser@firewall.name.fqdnApplicationNameserver The forward zone set up for www.google.com
    Zone name: www.google.com
    Name server hostname: localhost
    Name server IP address:    
    In the Name server window, click in the www.google.de zone.
    In the Edit Zone window click Add entry.
    Name: www.google.com
    Type:: A
    Value: 216.239.38.120
    Save and click again on Add entry.
    Name: www.google.com
    Type:: AAAA
    Value: 2001:4860:4802:32::78
    Saves the entry
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Nameserver-DNS_Forwarding_v14.0&oldid=98147"