In this article
After successfully testing DNS Forwarding on a single device, use this article to update your network configuration to point all outbound DNS traffic to DNSFilter servers.
There are different network options available to forward DNS traffic. This article addresses some of the most common configurations and use cases, but ultimately use your best judgement based on your network configuration to complete this step and begin protecting your network from internet threats.
Important Notes
Review these notes before configuring DNS Forwarding on your network.
Avoid mixing DNS Providers. Many DNS clients are configured to send queries in a round-robin style. Because of this, only list DNSFilter servers in your configuration or some queries will not filter through DNSFilter's servers.
Do not assign DNS directly to devices. Do not assign DNSFilter's servers directly to your client devices because it will break resolution with local named resources like servers, computers, printers. Set DNSFilter as a DNS forwarder through the means outlined in this article.
Configure DNS Forwarding from any of these network settings:
Router |
Setting DNSFilter servers on the router is a common setup for smaller locations, such as
|
DHCP Server |
Configuring DNS Forwarding from the DHCP Server is ideal for utilizing NAT IPs, which allows for multiple filtering policies that correspond to network subnets This setup works well for
|
Firewall |
Set DNS Forwarding on a Firewall as a standalone configuration to force query traffic or in concert with router/DHCP options. This is useful in scenarios where users are likely to attempt to circumvent filtering by changing the DNS settings on their device. It is also useful if your Internet Service Provider is running a transparent proxy to forward queries to port 5353 or 5354 (UDP only). Forwarding DNS traffic from the Firewall is a common setup for
|
Entra ID (formerly Active Directory) |
Many larger organizations utilize Microsoft Entra ID to manage their computing resources. DNSFilter can be configured as a Forward Zone to protect the entire network with a blanket filtering policy. Only a simple configuration change is required, and there is no interference on the LAN. |
Multi-Site Environments |
Multi-site environments can minimize DNS traffic crossing slower WAN links by configuring systems to use the DNSFilter servers at their local site. |
Router
This configuration uses the router as a DNS forwarder. Queries from network devices go to the router for resolution, and the router then sends WAN queries through the network gateway to DNSFilter.
Router manufacturers have different steps to update DNS forwarding. Consult your router's documentation on DNS Forwarding to add the DNSFilter Anycast IPs to complete this configuration.
DHCP Server
Configuring DNS Forwarding with a DHCP Server assigns device traffic directly to DNSFilter's IPs.
Note that this configuration will break local by-name resolution (e.g. Jeff-PC; Jane-Printer). On some networks this may not be an issue, such as Guest Wi-Fi.
DHCP equipment manufacturers have different steps to update DNS forwarding. Consult the manufacturer's documentation on DNS Forwarding to add the DNSFilter Anycast IPs to complete this configuration.
If using a router, this setting is commonly found under the DHCP Server section of the configuration.
Firewall
Hardware firewalls / virtual appliances can be configured to forward DNS queries to DNSFilter, regardless of what network devices have set on their network adapters.
To set this on your firewall, create either a NAT rule or port-forwarding rule to set all UDP and TCP port 53 traffic to the DNSFilter Anycast IPs.
The Preventing Circumvention and Transparent Proxying articles have example firewall rules.
Check packet size
The DNS protocol originally had a 512-byte maximum packet size. Modern usage of the DNS protocol can sometimes require a packet size of up to 4096 bytes.
If the firewall is set to block/drop DNS packets less than 4096 bytes, this could result in DNS timeouts. Please check your firewall ruleset to be certain.
Entra ID (formerly Active Directory)
Configured DNSFilter as a Forward Zone to protect the entire network by a filtering policy. The recommended minimum Domain Controller size for this deployment is 4 CPUs and 8GB RAM.
Larger organizations also find it useful to install Roaming Clients via Entra ID so individual devices have different filtering policies. This is beneficial in situations where staff or executives need alternate policies from the main site.
When local queries are sent, the Domain Controllers resolve them. When an internet query is sent, the Domain Controller recognizes that it cannot resolve locally, so it will send the query to DNSFilter for resolution. DNSFilter never sees or charges for your local queries.
Follow Microsoft's documentation to set conditional forwarders or configure DNS forwarding by logging on to the Domain Controllers and issuing the PowerShell command below to replace the forwarders with the DNSFilter Anycast IPs.
# Get the current list of forwarders
# Useful to save before overwriting
Get-DnsServerForwarder
# Set forwarders to DNSFilter
Set-DnsServerForwarder -IPAddress '103.247.36.36','103.247.37.37' -UseRootHint $False -PassThru
The changes instantly take effect once set. The Domain Controllers will now forward internet queries from all devices through DNSFilter and allow/block based on the filtering policy.
Multi-Site Environments
In a multi-site environment, systems should be configured to use the DNS servers at their local site before those at a different site. This minimizes the amount of DNS traffic crossing slower WAN links.
If you have a multi-site environment, but only a single DNS resolver for all sites, the site where the DNS resolver is located will ultimately determine the policies applied to the traffic for all sites.
To allow for site-specific policies (based on each site’s IP address), the DNS queries must not traverse the WAN and instead should go directly to DNSFilter via the respective site’s internet connection.
If placing DNS servers at each site is not feasible, there are a few solutions to ensure local domain DNS queries are resolved correctly, and internet domain DNS queries do not traverse the WAN to a single site:
Deploy Roaming Client. By installing a Roaming Client on the systems and configuring Local Domains, DNS queries for internal resources will be sent to the internal DNS resolver. While DNS queries for internet domains will be resolved by the Roaming Client and policies assigned to the Roaming Client will be enforced.
Deploy Relay. Deploy a Relay at each site without an existing DNS resolver and configure Local Domains. DNS queries for internal resources will be sent to the internal DNS resolver, while DNS queries for internet domains will be resolved by the Relay. Policies assigned to that Relay and that site’s LAN Subnet(s) will be enforced.
Comments
0 comments
Article is closed for comments.