Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

Configure DNS Forwarding on a Network

Minetta Gould
  • Updated

    In this article

After successfully testing DNS Forwarding on a single device, use this article to update your network configuration to point all outbound DNS traffic to DNSFilter servers. 

There are different network options available to forward DNS traffic. This article addresses some of the most common configurations and use cases, but ultimately use your best judgement based on your network configuration to complete this step and begin protecting your network from internet threats.

Important Notes

Review these notes before configuring DNS Forwarding on your network.

➡️ Avoid mixing DNS Providers. Many DNS clients are configured to send queries in a round-robin style. Because of this, only list DNSFilter servers in your configuration or some queries will not filter through DNSFilter's servers.

➡️ Do not assign DNSFilter directly to devices. Do not assign DNSFilter's servers directly to your client devices because it will break resolution with local named resources like servers, computers, printers. Set DNSFilter as a DNS forwarder through the means outlined in this article.

Configure DNS Forwarding from any of these network settings:

Router

Setting DNSFilter servers on the router is a common setup for smaller locations, such as

  • Small or home offices
  • Personal use
  • Locations without Local Authentications (e.g. Entra ID, LDAP, Radius, etc.)
DHCP Server

Configuring DNS Forwarding from the DHCP Server is ideal for utilizing NAT IPs, which allows for multiple filtering policies that correspond to the network. 

This setup works well for

  • Public/Guest Wi-Fi
  • No LAN Resources (printers, servers, resource sharing)
  • Utilizing the NAT IPs feature 
Firewall

Set DNS Forwarding on a Firewall as a standalone configuration to force query traffic or in concert with router/DHCP options.

This is useful in scenarios where users are likely to attempt to circumvent filtering by changing the DNS settings on their device.

It is also useful if your Internet Service Provider is running a transparent proxy to forward queries to port 5353 or 5354 (UDP only).

Forwarding DNS traffic from the Firewall is a common setup for

  • School networks
  • ISP has a transparent proxy
  • Locations where users have access to change their DNS settings
Active Directory 

Many larger organizations utilize Active Directories to manage their computing resources. DNSFilter can be configured as a Forward Zone to protect the entire network with a blanket filtering policy.

Only a simple configuration change is required, and there is no interference on the LAN.
Multi-Site Environments Multi-site environments can minimize DNS traffic crossing slower WAN links by configuring systems to use the DNSFilter servers at their local site. 

Router

This configuration uses the router as a DNS forwarder. Queries from network devices go to the router for resolution, and the router then sends WAN queries through the network gateway to DNSFilter.

1.jpg
Router manufacturers have different steps to update DNS forwarding. Consult your router's documentation on DNS Forwarding to add the DNSFilter Anycast IPs to complete this configuration. 

DHCP Server

Configuring DNS Forwarding with a DHCP Server assigns device traffic directly to DNSFilter's IPs.

Note that this configuration will break local by-name resolution (e.g. Jeff-PC; Jane-Printer). On some networks this may not be an issue, such as Guest Wi-Fi.  

1.jpg
DHCP equipment manufacturers have different steps to update DNS forwarding. Consult the manufacturer's documentation on DNS Forwarding to add the DNSFilter Anycast IPs to complete this configuration.

If using a router, this setting is commonly found under the DHCP Server section of the configuration.

Firewall 

Hardware firewalls / virtual appliances can be configured to forward DNS queries to DNSFilter, regardless of what network devices have set on their network adapters.

2.jpg
To set this on your firewall, create either a NAT rule or port-forwarding rule to set all UDP and TCP port 53 traffic to the DNSFilter Anycast IPs.

The Preventing Circumvention and Transparent Proxying articles have example firewall rules.

Check packet size

The DNS protocol originally had a 512-byte maximum packet size. Modern usage of the DNS protocol can sometimes require a packet size of up to 4096 bytes.

If the firewall is set to block/drop DNS packets less than 4096 bytes, this could result in DNS timeouts. Please check your firewall ruleset to be certain.

Active Directory 

Configured DNSFilter as a Forward Zone to protect the entire network by a filtering policy. The recommended minimum Domain Controller size for this deployment is 4 CPUs and 8GB RAM.

Larger organizations also find it useful to install Roaming Clients via Active Directory so individual devices have different filtering policies. This is beneficial in situations where staff or executives need alternate policies from the main site.

When local queries are sent, the Domain Controllers resolve them. When an internet query is sent, the Domain Controller recognizes that it cannot resolve locally, so it will send the query to DNSFilter for resolution. DNSFilter never sees or charges for your local queries.

3.jpg
Follow Microsoft's documentation to set conditional forwarders or configure DNS forwarding by logging on to the Domain Controllers and issuing the PowerShell command below to replace the forwarders with the DNSFilter Anycast IPs

# Get the current list of forwarders 
# Useful to save before overwriting 
Get-DnsServerForwarder 

# Set forwarders to DNSFilter 
Set-DnsServerForwarder -IPAddress '103.247.36.36','103.247.37.37' -UseRootHint $False -PassThru

The changes instantly take effect once set. The Domain Controllers will now forward internet queries from all devices through DNSFilter and allow/block based on the filtering policy.

Multi-Site Environments

In a multi-site environment, systems should be configured to use the DNS servers at their local site before those at a different site. This minimizes the amount of DNS traffic crossing slower WAN links.

Square Image.jpg

In a multi-site environment using a single centralized DNS resolver, the Site hosting that resolver determines the policy applied to all DNS traffic.

To enforce site-specific policies based on each Site’s IP address, DNS queries must exit directly to DNSFilter from each Site’s local internet connection rather than traverse the WAN to a central resolver.

If deploying a DNS server at each Site is not feasible, use one of the following approaches to ensure local domains resolve internally and internet traffic does not traverse the WAN unnecessarily:

Deploy Roaming Client

In Classic DNS Filtering mode (default), configure Local Domains so internal queries resolve through the local DNS resolver while internet-bound queries are filtered by the assigned device policy.

In DNS PreCheck mode on supported Windows devices, internal queries follow the DNS resolver provided by the local network or VPN, and internet-bound queries are evaluated locally by the agent. This reduces WAN traversal and maintains site-specific policy enforcement.

Deploy Relay

Install a Relay at each Site without a local DNS resolver and configure Local Domains. Internal queries resolve through the internal DNS server, while internet-bound queries are handled by the Relay. Policies assigned to that Relay and the Site’s LAN Subnet(s) are enforced.

Was this article helpful?
15 out of 31 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.