Document toolboxDocument toolbox

Editing DNS Proxy Service Settings

Owned by Gary Leicht
Last updated: Feb 15, 2024 by Alex Mandel
4 min read

The DNS Forwarding Proxy continually monitors connectivity to BloxOne Cloud DNS. If the On-Prem Host cannot reach BloxOne Cloud Anycast DNS server for any reason, it will send requests to a local DNS server which protects clients by security RPZ (DNS Firewall) feeds. DNS Forwarding Proxy fallback to the DNS server is used as an end point when the primary server is unavailable. Having the DNS Forwarding Proxy fallback to a local DNS server, instead of the default DNS resolution path, can be used in situations where BloxOne Cloud is unreachable.

A DNS Forwarding Proxy consists of the following three components:

  • Internal and Fallback DNS Resolvers: An Internal DNS Resolver and Fallback DNS Resolver serve as key components in the domain name system (DNS) infrastructure, facilitating the resolution of domain names into IP addresses. These components play crucial roles in ensuring efficient and reliable internet connectivity. An internal resolver is typically part of an organization's local network infrastructure. It is the first point of contact for DNS queries originating within the network. When a device within the organization tries to access a website or a web service, the query is first sent to the Internal DNS Resolver. A Fallback DNS Resolver acts as a backup service, stepping in when the primary DNS resolver is unable to resolve a domain name. This could be due to the primary resolver being down, overloaded, or if the query pertains to a domain outside of the internal network's knowledge.

  • Internal Domain Lists: When used with DNS Forwarding Proxy, DNS queries are sent directly to BloxOne Cloud. If you have internal domains that are served by local DNS servers and you want to reach them without interruptions, you should consider adding them to the bypassed internal domains list. If you add them, DNS queries for these internal domains are sent to the local DNS servers instead of BloxOne Cloud.

  • PoP Settings: DNS services typically resolve and direct traffic through the closest point-of-presence (PoP) to the data center rather than through the one closest to the requesting location or site, which results in longer latency and slower application response times. For performance reasons, a preferred Point of Presence (PoP) based in region can be selected as an option to the default Cloud Service Portal auto selection.

To edit the configuration of a DNS Forwarding Proxy, in the Services tab (Manage > Infrastructure >Services) select the desired DNS Forwarding Proxy from among the list of services by placing a check in the checkbox associated with it. Then click Edit to open the Edit DNS Forwarding Proxy wizard page. In the Edit DNS Forwarding Proxy wizard, make the desired changes:

  • Internal and Fallback DNS Resolvers: Click Add to add an internal or fallback DNS resolver to the DNS Forwarding Proxy. To configure the internal and fallback DNS resolver, do the following:

    • ORDER: The precedence given an FQDN or an IP address (internal or external DNS resolver). To change the precedence of an internal resolver, click and drag the up or down arrow associated with it.

    • FQDN/IP ADDRESS: Add an FQDN or an IP address for enforcement of security policies.

    • INTERNAL RESOLVER: An internal resolver is a DNS resolver that the BloxOne or NIOS host can use to forward internal domains to, such as an internal authoritative DNS server.  To configure the internal resolver, toggle the switch to the right to enable INTERNAL RESOLVER. INTERNAL RESOLVER is enabled by default.

    • FALLBACK RESOLVER/FALLBACK RESOLVER: For those customers not holding a Federal license, the column is called Fallback Resolver. An external resolver is a DNS resolver that can resolve general DNS queries. The fallback resolver is used when the primary server (that is, BloxOne DNS Anycast IP) is unavailable. To configure the external resolver, toggle the switch to the right to enable EXTERNAL RESOLVER. EXTERNAL RESOLVER is disabled by default.

    • DNS OVER TLS: DNS over TLS (DoT) is an encrypted DNS protocol using port TCP 853. DoT possesses a higher precedence order over unencrypted DNS in this DFP configuration. This means that if both DoT and UNENCRYPTED DNS are enabled, the DFP will attempt to use DoT first but then fall back to unencrypted DNS if the server does not respond to DoT. To  configure DNS over TLS, toggle the switch to the right to enable DNS OVER TLS. DNS OVER TLS is disabled by default.

    • UNENCRYPTED TLS: To configure unencrypted TLS, disable UNENCRYPTED TLS by toggling the switch to the left. Unencrypted TLS is enabled by default.

    Additional considerations:

    • An Internal and Fallback DNS Resolvers entry can have either Internal Resolver enabled OR Fallback Resolver enabled OR both Internal Resolver and Fallback Resolver enabled. It cannot have both Internal Resolver and Fallback Resolver disabled.

    • An Internal and Fallback DNS Resolvers entry can have either Unencrypted DNS enabled OR DoT enabled OR both Unencrypted AND DoT enabled. It cannot have DoT and Unencrypted disabled together.

    • DNS Forwarding Proxy can also be configured to transfer additional metadata, including an IP address and a MAC address, to external servers.

  • Internal Domains Lists: Click Add to add an internal domains list to the DNS forwarding Proxy. Alternately, you can search for a specific internal domains list by entering its name in the search field. To configure the internal domains list, do the following:

    • NAME (required): From the options list, select the name of the internal domains list to add to the configuration. You can add multiple internal domains list to the DNS Forwarding Proxy configuration.

  • PoP Settings: PoP auto selection is ON by default. To enable preferred PoP, toggle the Auto Selection switch left to the OFF position. From the Point of Presence drop-down list, select a preferred PoP from among the options.

Ensure that all required information is provided, and click Next to proceed to the next step. If any required information is left empty, an error icon will appear next to the page. To complete missing information, click Back. To exit without saving the configuration, click Cancel. If you have completed all edits and configuration, click Finish.