In this article
Important Notes
This feature is not applicable to networks with Active Directory. Windows DNS Server does not have a way to forward DNS based on subnet or internal IP address.
As well, you cannot utilize the NAT IP functionality with a Global policy. It must be a non-global policy belonging to a single organization.
DNSFilter’s NAT IPs feature allows up to 7 different policies using a single egress IP address. This facilitates separate content filtering and/or threat protection policies for different segments of your network, such as guest Wi-Fi, server farms, staff BYOD, and executive devices.
When we receive your DNS requests, we apply the specific policy based on the set of DNSFilter IP addresses used to contact us. We have 7 sets of IPs which all utilize the same global infrastructure.
Within your network, you must configure the devices to resolve the specific set of DNS addresses you have configured in the DNSFilter Dashboard policy (explained in the next section).
Note the DNS IPs assigned to the devices in the diagram below (.101, .102, etc.)
Create NAT IP policies
NAT IP policies are created by following the instructions in the site deployment guide pertaining to creating a filtering policy
On the Advanced tab, there will be a location for setting NAT IP policy addresses:
There are 7 choices, allowing for 7 different policies to be active on your network.
After creating policies with different NAT IP addresses, you can move on to configuring your network devices. NAT IP policies should not be assigned to a site on the dashboard. Rather, the main site policy should be assigned to your network.
Configure NAT IPs
The final step in configuring NAT IPs is to point to the NAT IP addresses that you have set. There are a few options for this:
DHCP Handout
You can configure your DHCP server to hand out different DNS addresses based on the internal LAN subnet. For example, say your Guest subnet is 192.168.10.0/24, your Staff subnet is 192.168.20.0/24, and your Executive subnet is 192.168.30.0/24. You could assign a normal “Guest” policy to your network in the Dashboard. Then you could create two NAT IP policies, one for staff and one for Executives. Then you could adjust the DHCP options for those subnets to point to the NAT IPs for that policy.
Direct Assignment
If the number of devices for a NAT IP policy is small, and you have control over the endpoint devices - then direct assignment is an easy way to utilize NAT IPs. You can simply go to the DNS settings on the device and change them to point to your NAT IP policy.
Test NAT IPs
You can ensure that your NAT IP policies and network devices are configured properly by adding a different test domain to the Block list for each policy. Then ensure the devices see a block page for the specific domain which was set up on their NAT IPs policy.
Comments
0 comments
Please sign in to leave a comment.