Configuring Your Network

Article author
Minetta Gould
  • Updated

After testing your connection with one computer to DNSFilter servers, you can change your network configuration to point all outbound DNS traffic to our servers. This will ensure comprehensive filtering and security coverage for all devices on your network.

Depending on how your network is set up, you can configure DNSFilter on your: 

  • Router (good for smaller networks)
  • DHCP (any network size and for use with NAT IPs)
  • Firewall (a standalone to force query traffic or in concert with router/DHCP options)
  • Active Directory (AD) environments can configure DNSFilter as the Forward Zone

Do not mix DNS Providers

Many DNS clients are configured to send queries in a round-robin style. Because of this, it is only necessary to list DNSFilter servers in your configuration.

Otherwise, some queries will not come to us and will escape the filtering policies that you have set.

Do not assign DNS directly to endpoints

Do not assign DNS Filter's servers directly to your client devices because it will break resolution with local named resources (servers, computers, printers).

It is far better to set DNSFilter as a DNS forwarder through the means outlined in this article.

Domain Controller Recommended Minimum

4 CPUs and 8GB RAM


Router Configuration

Setting DNSFilter servers on the router is a common setup for smaller locations, such as in a small office/home office.

This configuration uses the router as a DNS forwarder. Queries from network clients go to the router for resolution, and the router then sends WAN queries through the network gateway to DNSFilter.

Use Cases:

  • Home / Personal
  • Small Offices
  • No Local Authentication (Active Directory, LDAP, Radius, etc.)

Configure Network 1.png

 

Due to the variety of router manufacturers, DNSFilter does not provide directions for this procedure. Search Google for the instruction manual for your particular make and model of router: look to add the DNSFilter Anycast IPs into the DNS forwarding section of your router's configuration.


DHCP Server Configuration

Use your DHCP server to give DNSFilter’s IPs directly to clients, but remember this will break local by-name resolution (e.g., Jeff-PC, Jane-Printer). On some networks this may not be an issue, such as Guest Wi-Fi.

This configuration is also desirable for utilizing our NAT IPs feature, which allows you to create multiple filtering policies that correspond to your network subnets.

Use Cases:

  • Guest Wi-Fi
  • No LAN Resources (printers, servers, resource sharing)
  • Utilizing the NAT IPs feature

Configure Network 1.png

 

Due to the variety of equipment manufacturers, DNSFilter does not provide directions for this procedure.

If you are using a router, this setting is commonly found under the “DHCP Server” section of the configuration: replace the DNS server IPs with the DNSFilter Anycast IPs.

Cisco Meraki provides instructions to configure DHCP on their equipment.


Firewall Configuration 

Hardware firewalls / virtual appliances can be configured to forward DNS queries to DNSFilter, regardless of what network clients have set on their network adapters.

This is useful in scenarios where users are likely to attempt to circumvent the filtering by changing the DNS settings on their device.

It is also useful if your Internet Service Provider is running a transparent proxy (redirecting DNS queries to their servers) because you can forward queries to port 5353 or 5354(UDP only).

Use Cases:

  • School networks
  • ISP has a transparent proxy
  • Locations where users have access to change their DNS settings

 

Configure Network 2.png

 

To set this on your firewall, create either a NAT rule or port-forwarding rule to set all UDP and TCP port 53 traffic to DNSFilter's Anycast IPs.

You can check the Preventing Circumvention and Transparent Proxying articles for examples of firewall rules that can be set.

Check packet size

The DNS protocol originally had a 512-byte maximum packet size. Modern usage of the DNS protocol can sometimes require a packet size of up to 4096 bytes.

If the firewall is set to block/drop DNS packets less than 4096 bytes, this could result in DNS timeouts. Please check your firewall ruleset to be certain.


Active Directory Configuration 

Many larger organizations utilize Microsoft AD to manage their computing resources. DNSFilter can be configured as a Forward Zone so that your entire network is protected by a filtering policy.

Only a simple configuration change is required, and there is no interference on your LAN. You can also install our Roaming Client via Active Directory so that individual devices have different policies. This is useful in situations where staff or executives need to have an alternate policy from the main site.

As shown in the diagram below, the endpoints are already set to communicate with AD for DNS resolution.

When local queries are sent, the Domain Controllers resolve them. When an internet query is sent, the Domain Controller recognizes that it cannot resolve locally, so it will send the queries to DNSFilter for resolution. DNSFilter never sees or charges for your local queries.

 

Configure Network 3.png

 

The fastest way to configure DNS forwarding is by logging on to the Domain Controllers and issuing the PowerShell command below to replace the forwarders with the DNSFilter Anycast IPs.

 

# Get the current list of forwarders 
# Useful to save before overwriting
Get-DnsServerForwarder

# Set forwarders to DNSFilter
Set-DnsServerForwarder -IPAddress '103.247.36.36','103.247.37.37' -UseRootHint $False -PassThru

 

You may also refer to the screencast below for the GUI method of replacement:

 

Once this has been set, changes will instantly take effect. This is because LAN devices already go to the Domain Controllers (DCs) for resolution. The DCs will now forward internet queries from all devices through DNSFilter and allow/block based on what you have set in the dashboard.

If you wish to put some devices on a different policy, you can install our Roaming Client via Active Directory.


Multi-Site Environments

In a multi-site environment, systems should be configured to use the DNS servers at their local site before those at a different site. This minimizes the amount of DNS traffic crossing slower WAN links.

Configure Network 4.png

 

If you have a multi-site environment, but only a single DNS resolver for all sites, the site where the DNS resolver is located will ultimately determine the policies applied to the traffic for all sites.

To allow for site-specific policies (based on each site’s IP address), the DNS queries must not traverse your WAN and instead should go directly to DNSFilter via the respective site’s internet connection.

If placing DNS servers at each site is not feasible, there are a few solutions to ensure local domain DNS queries are resolved correctly, and internet domain DNS queries do not traverse your WAN to a single site:

Deploy Roaming Client

By installing our Roaming Client on the systems and configuring Local Domains, DNS queries for internal resources will be sent to your internal DNS resolver. While DNS queries for internet domains will be resolved by the Roaming Client and policies assigned to the Roaming Client will be enforced.

Deploy Relay

By placing a Relay at each site without an existing DNS resolver and configuring Local Domains. DNS queries for internal resources will be sent to your internal DNS resolver, while DNS queries for internet domains will be resolved by the Relay. Policies assigned to that relay and that site’s LAN Subnet(s) will be enforced.


Connection Ports / Protocols

DNSFilter Ports

To enable customers to overcome Transparent Proxying, DNSFilter receives DNS traffic on the following ports:

  • 53 (UDP/TCP)
  • 5353 (UDP/TCP)
  • 5354 (UDP)
  • 853 (TCP)(DNS-over-TLS)

 

DNSSEC Support

DNSFilter fully supports DNSSEC by pointing your equipment to these DNS addresses:

  • 103.247.36.9
  • 103.247.37.9
However, DNSFilter only recommends utilization for organizations that understand two crucial points:
  • Low internet adoption – Most internet domains (including well-known email providers) do not support DNSSEC, which means turning the feature on will cause failures in resolving a large portion of internet domains. This will be perceived by the end user as a failure with their ISP or with our service
  • DNSSEC outages – Even domains which do support DNSSEC have been known to have failures that last several days or weeks

Was this article helpful?

13 out of 24 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.