Document toolboxDocument toolbox

DNS Assured Forwarding (DAF)

Owned by Shirly Tsang
Last updated: Aug 22, 2023 by Alex Mandel
3 min read

BloxOne Service Edge offers DAF, which maximizes security for your DNS traffic by enforcing DNS server policies you defined through BloxOne Threat Defense. Without DAF, BloxOne Threat Defense can enforce security policies only through DNS responses issued to DNS queries. Users can easily bypass DNS queries and obtain resolved IP addresses by using DoH (DNS over HTTPS) or DoT (DNS over TLS) to access blocked domains. When DAF comes into play, however, bypassing DNS queries becomes impossible, so all BloxOne Threat Defense policies can be enforced properly.

Essentially, DAF is a specialized firewall that blocks traffic to destinations that are not resolved by trusted DNS servers. You can configure a list of trusted DNS servers, so DNS traffic to these DNS servers and DNS requests resolved by these DNS servers would not be blocked when you enable DAF. Trusted DNS servers are local IP addresses in Service Edge, DNS servers running outside of Service Edge, any on-prem hosts running DNS service, DNS servers in NIOS, or the local domain list configured for the DNS forwarding proxy. For information on how to add the list of trusted DNS servers, see Configuring Edge Settings. BoxOne Service Edge provides a monitoring service that allows you to monitor trusted DNS violations. For information, see Monitoring Trusted DNS Violations.

  • If you set up firewall rules to block or implicitly deny traffic to the trusted DNS servers, you must remove or override these rules for the trusted DNS servers to function properly.
  • The sessions established after FQDNs were resolved would stay forever and DAF would not block them.

The following diagram illustrates how DAF protects the traffic you trust and blocks IP addresses unknown to trusted DNS servers.

For DAF to take effect, enable the DAF service on your edge. For information on how to start the DAF service, see Enabling Services for BloxOne Service Edge. When you enable DAF, it performs specific functions to ensure that all BloxOne Threat Defense policies are properly enforced based on you configuration. For information about BloxOne One Threat Defense policies, see Configuring Security Policies.

DAF enforces policies as follows:

  • It blocks exposure of IP addresses in the DNS response through DoH, so it can allow BloxOne Threat Defense security policies to take effect.
  • When you enable DoH, it blocks all resolved IP addresses in DNS responses while DNS firewall rules are still in effect.
  • It respects the bypass code, which you can configure through BloxOne Thread Defense policies. See Configuring Bypass Codes.
  • It blocks queries to all untrusted resolvers.
  • It blocks IP addresses to all denied domains.
  • It blocks everything that the DNS resolver does not recognize.
  • It bypasses security rules used for traffic known to be safe.

When the DAF service is enabled, you can configure BloxOne Service Edge to doing one of the following:

  • Drop packets that violate security policies and log the violations to the services log.
  • Choose to log DAF violations only, without dropping the packets in a learn-only mode; this would allow you to review the logs and decide on corrective actions. For information on how to enable these options, see Associating Profiles with Edges.
  • Route the DAF violation to a specific destination such as a remote site, a site-to-site VPN tunnel, or the next hop. For information, see Configuring Edge Settings.
  • Monitor DAF traffic to review DAF violations and create bypass rules when necessary. For information, see Monitoring DAF Violations.

Note

When you enable Log DAF violations and DAF Learn-only mode at the same time, BloxOne Service Edge logs all DAF violations, without dropping packets. To drop violation packets and to log DAF violations, enable only Log DAF violations. For more information, see Configuring Edge Settings.