What are Local Domains?
Most corporate networks will have some ‘source of truth’ for Split-Horizon DNS. This may include lan-only domains such as BigCo.mycorp or local IPs returned for corporate resources such as internal.bigco.com.
When using DNSFilter in network-only configurations, typically this is solved by taking your current DNS resolving architecture and configuring our IPs as forwarders: Anything it can’t answer locally it forwards on to us. A common example of this would be configuring our forwarders with Active Directory.
Specifying a local domain in DNSFilter Roaming Clients or DNSFilter Relay communicates to the client/relay which domains should be sent to the DNS server configured before the Client/Relay takes over.
Roaming Clients and DNS Interception
The way our roaming clients operate is that they ‘take over’ DNS duties on the machine in question. In windows, for instance, this can be seen as DNS being set to 127.0.0.2. This is a loopback IP that our service listens on, takes your DNS requests, makes a few modifications and sends it on to DNSFilter for processing and enforcement of your policies.
Prior to taking over your DNS, we make note of your previously configured DNS IPs. We store these, and use them for any local domains lookups ending with .local. We restore your original configuration (Static DNS IPs) or enabling DHCP when the agent is shut down, or as part of a reboot.
Note: This means the specified local domains are not filtered by your policy, or logged in our system. Be sure to choose the domains carefully and make it as restrictive as possible.
Options for Specifying Local Domains
There are a few options for conveying local domain information to our roaming clients. We’ll summarize them here, the pros and cons, and then dive into how to configure each.
We forward all requests for domains ending in .local to your originally configured DNS regardless of which option you specify below, so if you are only using .local which is preferred per RFC 6762, you don’t need to take any steps below. We also automatically cover RFC 1918 private address in-addr.arpa reverse DNS PTR lookups to go to local DNS.
Configured via DNSFilter Dashboard
In most cases, this is the preferred option; Use the Local Domains feature of the Roaming Client to force DNS queries for a list of local domains to specific local resolvers. This feature provides a simple workaround for configuring local domains in situations such as
- Unable to properly configure your DHCP’s DNS Search Suffix
- Not feasible to set local domains during Roaming Client install
- Too cumbersome to manage local domains via the registry
- LAN environments not suitable for the DNSFilter Relay
- Local Domains constantly changing and you wish to have a quick and simple method to update the Roaming Clients without using DHCP’s DNS Search Suffix
- Multiple interfaces exist and the Roaming Client is unable to determine the correct interface to send queries for local domains (for example, some VPN clients operating in split-tunnel mode)
Configuring Local Domains via the DNSFilter Dashboard will determine the priority of Local Domain resolution:
- Identical Local Domains which are configured using any of the other options will always take priority over identical Local Domains configured from the DNSFilter Dashboard. Example: If your DNS Search Suffix provided by DHCP is acme.com and you also configure acme.com from the DNSFilter Dashboard, the original DNS server configured on the network interface will take priority over the resolvers configured within the DNSFilter Dashboard.
- If the Local Domains configured on the DNSFilter Dashboard are ‘less specific’ than Local Domains configured using any of the other options, the resolvers specified on the Dashboard will take priority. Example: If your DNS Search Suffix provided by DHCP is corp.acme.com and configure acme.com from the DNSFilter Dashboard, the DNS resolvers configured within the DNSFilter Dashboard will take priority over the original DNS servers configured on the network interface.
IMPORTANT: If you have a multi-site environment, keep in mind that DNS queries from Roaming Clients at ALL sites will use the Local Resolvers you specify in the Dashboard. For example, depending on your network, this could result in local domain DNS queries from one office must first traverse your site-to-site VPN or MPLS before reaching the resolver listed in the first position.
DHCP DNS Search Suffix
DHCP Leases have an option to specify the domain ‘search suffix’ – so if you try to visit http://internal in your browser, it will iterate through the list of search suffix domains and try to visit internal.bigco.mycorp followed by internal.bigco.com. If you’re not familiar with how to configure this with Microsoft DHCP server, this article found on the web might help.
Passed during Roaming Client Install
Each Roaming client has options to pass this information as a configuration variable during install time. The downside to this implementation is that these localdomains remains even when you roam off the corporate network. They won’t be sent to DNSFilter for lookup, but will be sent to the local DNS for that network.
For example, Windows allows you to pass a LOCALDOMAINS= install flag. You can find the specific documentation for each Roaming Client here:
- Windows Roaming Client
- MacOS Roaming Client
- DNSFilter Relay
- Android Roaming Client
- iOS Roaming Client
In Windows, you have the ability to directly specify the localdomains values in the registry (comma-separated). This option gives you power to easily update these values post-installation. For our branded windows roaming client, this can be found at:
HKLM\Software\DNSFilterAgent\Agent in the DNSDomainSuffixList key
While our Whitelabel MSP Version locates it at:
HKLM\Software\DNS Agent\Agent in the DNSDomainSuffixList key
A final option for LocalDomains resolution is to install our DNSFilter Relay on your corporate network. You would then hand out the IPs of two relay instances, and relay can be configured with specific localdomains, and which DNS IPs to hand those lookups to.