In this article
Network administrators use this article to understand local domain and resolver use cases and options to configure these settings for your DNS traffic.
What to know about using local domains
Does your organization only use .local domains for corporate resources?
We forward all requests for domains ending in .local to your originally configured DNS regardless of any other network specifications.
This means that if you only use .local (which is preferred per RFC 6762), you don’t need to take any steps below. Note that DNSFilter also automatically covers RFC 1918 private address in-addr.arpa reverse DNS PTR lookups to go to local DNS.
Why setup Local Domains and Resolvers?
Most corporate networks have some ‘source of truth’ for Split-Horizon DNS. This may include LAN-only domains such as BigCo.mycorp or local IPs returned for corporate resources such as internal.bigco.com.
When using DNSFilter in network-only configurations, typically this is solved by taking your current DNS resolving architecture and configuring our IP addresses as forwarders: anything the network can’t answer locally it forwards on to us. A common example of this would be configuring our forwarders with Active Directory.
Specifying local domains and resolvers in DNSFilter Roaming Clients or Relays communicates to the Client/Relay which domains should be sent to the network DNS server before the Client/Relay takes over.
How do Roaming Clients intercept DNS traffic?
Our Roaming Clients ‘take over’ DNS duties on the device they protect. In Windows, for instance, this can be seen as DNS being set to 127.0.0.2. This is a loopback IP that our service listens on, takes your DNS requests, makes a few modifications and sends it on to DNSFilter for processing and enforcement of your policies.
Prior to taking over your DNS, we make note of your previously configured DNS server IPs and store them. We restore your original configuration (Static DNS server IPs or enable DHCP) when the agent is shut down, or as part of a reboot. If a DNS request is sent that ends in ".local", we also use your originally configured DNS server to resolve the request.
This means the specified local domains are not filtered by your policy, or logged in our system. Be sure to choose the domains carefully and make it as restrictive as possible.
✍️ Set your firewall to not block EDNS to keep local DNS resolution from failing. Here are the Windows and macOS instruction.
Configure local domains and resolvers for your network
Local domains can be setup from:
- The Roaming Client dashboard
- DHCP DNS Search Suffix
- A local domains flag during Roaming Client or DNS Relay installation
- The registry
Setup in the Roaming Client dashboard
Adding local domains and resolvers to the Roaming Client dashboard works for networks utilizing the agent for:
- Windows
- macOS
- iOS
- Chrome
Use the Local Domains feature of the Roaming Client dashboard to force DNS queries for a list of local domains to specific local resolvers.
🚨IMPORTANT: Local resolvers must be added for the dashboard configuration to work. These do not default to your originally configured DNS like a .local address. You don't need to add a complete list of your network resolvers: adding any ID from your network interface will suffice.
Example
Let's say a device in your network receives DNS server 192.168.0.1 from DHCP and you setup this local domain.resolver configuration in the dashboard:
Local Domains: dundermifflin.com
Local Resolvers: 192.168.100.1
When you request www.dundermifflin.com, the Roaming Client will receive the request and forward it to 192.168.100.1. If 192.168.100.1 is not reachable on your network or does not give a response, the Roaming Client will then forward the request to the DNS server configured for your network interface, 192.168.0.1. If that then fails, it will finally forward the request to our servers.
This feature provides a simple workaround for configuring local domains in situations such as:
- Unable to properly configure your DHCP’s DNS Search Suffix
- Not feasible to set local domains during Roaming Client install
- Too cumbersome to manage local domains via the registry
- LAN environments not suitable for the DNSFilter Relay
- The network's local domains constantly change and you need a quick and simple method to update the Roaming Clients without using DHCP’s DNS Search Suffix
- Multiple interfaces exist and the Roaming Client is unable to determine the correct interface to send queries for local domains (for example, some VPN clients operating in split-tunnel mode)
✍️ DNS resolution priority changes in situations where local domains are added to the DNSFilter dashboard and other network options.
Identical local domains configured using any of the other options will always take priority over identical local domains configured from the DNSFilter dashboard. | If the DNS Search Suffix provided by DHCP is acme.com and you also configure acme.com from the DNSFilter dashboard, the original DNS server configured on the network interface will take priority over the resolvers configured within the DNSFilter dashboard. |
If the local domains configured on the DNSFilter dashboard are less specific than local domains configured using any of the other options, the resolvers specified on the dashboard will take priority. |
If the DNS Search Suffix provided by DHCP is corp.acme.com and configure acme.com from the DNSFilter dashboard, the DNS resolvers configured within the DNSFilter dashboard will take priority over the original DNS servers configured on the network interface. |
🚨 IMPORTANT: If you have a multi-site environment, keep in mind that DNS queries from Roaming Clients at ALL sites will use the local resolvers specified in the dashboard.
For example, depending on your network, this could result in local domain DNS queries from one office first traversing your site-to-site VPN or MPLS before reaching the resolver listed in the first position.
DHCP DNS Search Suffix
DHCP Leases have an option to specify the domain ‘search suffix’ – so if you try to visit http://internal in your browser, it will iterate through the list of search suffix domains and try to visit internal.bigco.mycorp followed by internal.bigco.com. If you’re not familiar with how to configure this with Microsoft DHCP server, this article found on the web might help.
Passed during Roaming Client install
Each Roaming client has options to pass this information as a configuration variable during install time. The downside to this implementation is that these localdomains remain even when you roam off the corporate network. They won’t be sent to DNSFilter for lookup, but will be sent to the local DNS for that network.
For example, Windows allows you to pass a LOCALDOMAINS= install flag.
Via registry
In Windows, you have the ability to directly specify the localdomains values in the registry (comma-separated). This option gives you power to easily update these values post-installation. For our branded windows roaming client, this can be found at:
-
HKLM\Software\DNSFilterAgent\Agent in the DNSDomainSuffixList key
-
HKLM\Software\DNS Agent\Agent in the DNSDomainSuffixList key
Via DNS Relay
A final option for Local Domains resolution is to install our DNSFilter Relay on your corporate network. You would then hand out the IPs of two relay instances, and relay can be configured with specific localdomains, and which DNS IPs to hand those lookups to.
Comments
0 comments
Please sign in to leave a comment.