Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Next »

Configuring DFP Settings

To Configure general DFP (DNS Forwarding Proxy) settings, specify the following:

  • Internal and Fallback DNS Resolvers: Expand this and click Add to add a local resolver or fallback resolver that manages your DNS requests when your DFP loses connection with BloxOne Cloud or when BloxOne DNS fails to resolve requests.
    Complete the following to configure internal and fallback resolvers:

  • ORDER: The order of precedence given an FQDN/IP Address (internal or external DNS resolver). Click and drag the up/down arrows associated with an internal resolver to change its precedence order.

    • FQDN/IP ADDRESS: Add a FQDN/IP Address is for the Internal or Fallback Resolver or both.

    • INTERNAL RESOLVER: An internal resolver would be used to resolve the DNS requests coming for the domain/IP present in the internal domains list.. To configure the internal resolver, toggle the switch to the right to enable INTERNAL RESOLVER. Internal resolver is enabled by default. An internal resolver would be used to resolve the DNS requests coming for the domain/IP present in the internal domains list. For information about internal resolvers, see DNS Forwarding Proxy Fallback to Local Resolvers.

    • FALLBACK RESOLVER: A fallback resolver is a backup endpoint used when the primary server is unavailable. It is used to resolve all DNS queries if the Bloxone Cloud fails to resolve the queries. For information about DNS fallback, see /wiki/spaces/BloxOne/pages/335413573.

    • DNS OVER TLS: DNS over TLS is an encrypted DNS protocol using TCP port 853. DNS over TLS possesses a higher precedence order over unencrypted DNS. To configure DNS over TLS, toggle the switch to the right to enable DNS OVER TLS. DNS OVER TLS is disabled by default.

    • UNENCRYPTED DNS: To configure unencrypted DNS, toggle the switch to the left to disable UNENCRYPTED DNS. UNENCRYPTED DNS is enabled by default.

  • Internal Domains Lists: Expand and click Add to add an internal domain list to the DFP. If you have internal domains that are served by local DNS servers and you want to reach them without interruptions, you should consider adding them to the bypassed internal domains list. If you add them, DNS queries for these internal domains are sent to the local DNS servers instead of BloxOne Cloud. Alternately, you can search for a specific internal domains list by entering its name in the search field. For information about internal domain lists, see Configuring Internal Domains.
    Complete the following to configure the internal domains lists:

    • NAME (required): From the Select List menu, choose the internal domain list to add to the configuration. You can add multiple internal domain lists. Note that only available internal domain lists appear in the menu. To configure an internal domain list, see Configuring Internal Domains.

  • PoP Settings: DNS service typically resolves and directs traffic through the closest PoP rather than through the one closest to the requesting location, which might result in longer latency and slower application response times. For performance reasons, you can choose a preferred PoP based in a specific region. The .Cloud Service Portal auto selection is ON by default. To enable preferred PoP, toggle the Auto Selection option to OFF. From the Point of Presence drop-down list, choose a preferred PoP.

Ensure that all required information is provided, and click Next to proceed to the next step. If any required information is left empty, an error icon will appear next to the page. To complete missing information, click Back. To exit without saving the configuration, click Cancel. If you have completed all edits and configuration, click Finish.

Configuring DFP Settings Using Encrypted DNS Protocols

NOTE: DNS Forwarding Proxy (DFP) configuration using encrypted DNS protocols is available only to the following subscribers:

  1. Subscribers possessing both a Federal license and a BloxOne Threat Defense Advanced license have the option to select between three different external DNS resolver configurations.

  2. Subscribers possessing only a Federal license, the option to select an optional external DNS resolver configuration is unavailable.

To Configure DFP settings using encrypted DNS protocols, specify the following:

Internal and External DNS Resolvers: Expand this and click Add to add an internal or fallback DNS resolver to manage your DNS requests when connected to BloxOne Cloud.

External DNS Resolver: Select an external DNS resolver from the drop-down list of options. An external DNS resolver defines the DNS that will be used to resolve DNS queries and enforce security policies. The option to choose between the three options is available only for subscribers of both Federal and Threat Defense license. 

  • BloxOne Threat Defense B1TD with fallback to the provisioned external resolvers: If BloxOne Threat Defense is not available, then DFP will fallback to the servers configured by the organization. This option is selected by default.

  • Provisional external resolvers with fallback to B1TD BloxOne Threat Defense: If the external servers are not available, then DFP will fallback to BloxOne Threat Defense.

  • Provisional external resolvers without fallback to B1TD BloxOne Threat Defense: If the external servers are not available, then DFP will NOT fallback to BloxOne Threat Defense.

For subscribers possessing only a Federal license, the third option will be selected by default and the option to choose either of the other two options is unavailable. In this case, there will be no drop-down list describing other options since access to BloxOne Threat Defense resolver requires a BloxOne Threat Defense license.   

DNS Forwarding Proxy can also be configured to transfer additional metadata such as IP address and MAC address to external servers.

Complete the following to configure external and internal resolvers:

Complete the following to configure local resolvers:

  • ORDER: The order of precedence given an FQDN/IP Address (internal or external DNS resolver). Click and drag the up/down arrows associated with an internal resolver to change its precedence order.

  • FQDN/IP ADDRESS: Add a FQDN/IP Address is for the Internal or External Resolver or both.

  • INTERNAL RESOLVER: The internal resolver manages requests for all clients on your network. To configure the internal resolver, toggle the switch to the right to enable INTERNAL RESOLVER. INTERNAL RESOLVER is enabled by default.

  • EXTERNAL RESOLVER: The external resolver is used when the primary server is unavailable. To configure the external resolver, toggle the switch to the right to enable EXTERNAL RESOLVER. EXTERNAL RESOLVER is disabled by default.

  • DNS OVER TLS: DNS over TLS is an encrypted DNS protocol using port 853/tcpl. DNS over TLS possesses a higher precedence order over unencrypted DNS. To configure DNS over TLS, toggle the switch to the right to enable DNS OVER TLS. DNS OVER TLS is disabled by default.

  • UNENCRYPTED TLS: To configure unencrypted TLS, toggle the switch to the left to disable UNENCRYPTED TLS. UNENCRYPTED TLS is enabled by default.

DNS Forwarding Proxy can also be configured to transfer additional metadata, including IP address and MAC address, to external servers. .

Internal Domains Lists: Expand and click Add to add an internal domain list to the DFP. If you have internal domains that are served by local DNS servers and you want to reach them without interruptions, you should consider adding them to the bypassed internal domains list. If you add them, DNS queries for these internal domains are sent to the local DNS servers instead of BloxOne Cloud. Alternately, you can search for a specific internal domains list by entering its name in the search field. For information about internal domain lists, see Configuring Internal Domains.

Complete the following to configure the internal domains lists:

  • NAME (required): From the Select List menu, choose the internal domain list to add to the configuration. You can add multiple internal domain lists. Note that only available internal domain lists appear in the menu. To configure an internal domain list, see Configuring Internal Domains.

  • PoP Settings: DNS service typically resolves and directs traffic through the closest PoP rather than through the one closest to the requesting location, which might result in longer latency and slower application response times. For performance reasons, you can choose a preferred PoP based in a specific region. The .Cloud Service Portal auto selection is ON by default. To enable preferred PoP, toggle the Auto Selection option to OFF. From the Point of Presence drop-down list, choose a preferred PoP.

Ensure that all required information is provided, and click Next to proceed to the next step. If any required information is left empty, an error icon will appear next to the page. To complete missing information, click Back. To exit without saving the configuration, click Cancel. If you have completed all edits and configuration, click Finish.

The configured DNS Forwarding Proxy settings can be viewed on the DNS Forwarding Proxy wizard’s Summary page.

For information on all steps required in creating and configuring DNS Forwarding Proxy Services, see Creating DNS Forwarding Proxy Services.

For information on editing or modifying DNS Forwarding Proxy Services, see Editing DNS Forwarding Proxy Services.

Deploying DNS Forwarding Proxy on NIOS

To deploy DNS Forwarding Proxy (DFP) on a NIOS appliance, see NIOS Deployment

  • No labels