Skip to main content
Versa Networks

Configure DNS Proxy for Concerto

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

A DNS proxy intercepts incoming Domain Name System (DNS) requests from a client and redirects them to a DNS server. The DNS server then resolves the DNS queries either using information in its DNS cache or by forwarding requests to other DNS servers.

You can configure a Concerto device to act as a DNS proxy. To do this, you create a DNS proxy profile that defines the DNS resolvers to use to resolve the domain names received in DNS requests, and you define which interfaces and source NAT (SNAT) pools to use to reach the DNS resolvers. You then create DNS profiles that define the domain name patterns and types to be resolved by a DNS proxy profile, and DNS then associates these profiles with DNS policies.

You can configure multiple DNS servers to ensure that incoming DNS requests are sent to the appropriate DNS server or servers. For example, the DNS path selection mechanism can send corporate DNS queries to a corporate DNS server while sending other queries to the ISP's DNS servers.

To direct incoming DNS requests to other DNS servers, you create a redirection rule in a DNS policy, and you then associate a DNS proxy profile with the rule. You can configure multiple redirection rules. You can also configure a redirection rule that responds to a domain name with a static IP address.

Create a DNS Proxy Policy

You can create a DNS proxy policy as part of a main template, or you can create it separately and then associate it with a main template. For more information on main templates, see Configure Main Templates.

  • To create a DNS proxy policy for an existing main template:
    1. In Tenant view, select Configure > SD-WAN > Main Templates.
    2. Select the main template for which you want to configure the policy.
    3. Click the workflow step for Network Services (here, step 4). The screen displays Carrier Grade NAT (CGNAT) tab selected by default.
    4. Click DNS Proxy tab, and then click Add New DNS Proxy Policy.

      main-template-dns-proxy.png
    5. Continue to Configure DNS Proxy Policies, below.
  • To create a DNS proxy policy separately from a main template:
    1. In Tenant view, select Configure > Secure SD-WAN > Network Services > DNS Proxy.

      dns-proxy.png
      • If you have not yet configured a DNS proxy policy, click Add New DNS Proxy Policy. 
      • If you have configured one or more DNS proxy policies, the following screen displays.

        dns-proxy-policy-home.png
    2. Select the Policy tab, and click the + Add icon.
    3. Continue to Configure DNS Proxy Policies, below.

Configure a DNS Proxy Policy 

Complete the following workflow to configure a DNS proxy policy. 

add-dns-proxy-rules.png

  1. In workflow step 1, Rules, click Add Redirection Rules.

    add-dns-policy1.png
  2. Complete the following workflow to add a redirection rule.

    redirection-rules-workflow.png
    1. Select step 1, Source and Destination Traffic.
      1. Select the Source Addresses tab, and enter information for the following fields. By default, all source and destination traffic is included. You can specify the source and destination addresses and zones from which traffic originates. 

        redirection-rules-source-destination-traffic.png
         
        Field Description
        Address Groups Select one or more source address groups from which traffic originates, or use the search box to find a source address group. To add a new address group, click the + Add icon. See Configure Reusable Objects.
        Address Objects Select one or more source address objects from which traffic originates, or use the search box to find a source address object. To add a new address object, click the + Add icon. See Configure Reusable Objects.
        IP Range Enter one or more IP address ranges, for example, 10.2.1.1-10.2.2.2.
        Subnets Enter one or more IP subnets, for example, 10.1.1.0/24
        Wildcards Enter one or more IP wildcard, for example, 192.168.0.56/255.255.0.255
      2. Click the Destination Addresses tab, select one or more destination address groups and address objects from which traffic originates, or use the search box to find destination address groups and address objects. You can also enter values for the IP range, subnets, and the wildcard for the rule to match. The fields are the same as for the Source Addresses, described above.
      3. Select the Source Zones tab and enter information for the following fields.

        redirection-rules-source-zone.png
         
        Field Description
        Source Zones Select one or more source zones.
        Ingress Routing Instance Select an ingress routing instance.

      4. Select the Destination Zones tab, and then enter the information for the destination zone. The fields are the same as for the Source Zones, described above.

    2. Click Next or select step 2, Users and User Groups. By default, all users and user groups are included. To customize the specific users or groups to be included, enter the following information.

      redirection-rules-users-groups.png

      1. Select the user type to match from All Users, Known Users, Unknown Users, and Selected Users.
      2. If you select Selected Users, the following options display.

        redirection-rules-users-groups-selected-users.png
      3. Select a Users and Groups Profile. For more information, see Configure User and Device Authentication.
      4. Select the User Groups tab to search for and select user groups.
      5. Select the Users tab to search for and select users. 
    3. Click Next or select step 3, Source and Destination Geo Location, to specify the geographic regions for source and destination traffic source. Geolocation refers to the use of location technologies such as IP addresses to identify and track the whereabouts of connected electronic devices. By default, we have included devices in all locations. You can customize, by selecting which country, state, city to include.
      1. On the Source Address tab, click Select Country to select one or more countries.
      2. Click the Destination tab, and then click Select Country to select one or more countries. 

        redirection-rules-geo-location.png
    4. Click Next or select step 4, DNS Headers, to define DNS operation codes and matching criteria for incoming packets. 

      redirection-rules-dns-header.png
      1. In the Operating Code field, select the type of DNS operation code to which the rule applies:
        • IQuery—Send a request for an inverse DNS query command.
        • Notify—Send a request for a DNS notify command.
        • Query—Send a request for a DNS query command.
        • Status—Send a request for a DNS status command.
        • Update—Send a request for a DNS update command.
      2. For each request type, you must enter additional information, as described in the following steps.
        • If you select the IQuery request type, enter IPv4 or IPv6 addresses to which to send an inverse query. Click the add-icon.png Add icon to add one or more IP addresses.

          redirection-rules-dns-header-iquery.png
        • If you select the Query request type, enter information for the following fields.

          redirection-rules-dns-header-query.png
           
          Field Description
          Query Type

          Select the DNS resource record (RR) types to query:

          • A
          • A6
          • AAAA—IPv6 address
          • AFSDB—AFS database location
          • ALL—All resource record types
          • APL—Address prefix list
          • ATM—ATM address
          • AXFR—Asynchronous Transfer Full Range 
          • CAA—Certification Authority Authorization
          • CERT—Certificates
          • CNAME—Canonical name for an alias
          • DHCID—DHCP ID
          • DNSKEY—DNS key
          • DS—Delegation signer
          • EID—Endpoint identifier
          • GPOS—Geographical position
          • HINFO—Host information
          • HIP—Host identity protocol
          • ISDN—ISDN address
          • ISECKEY—IPsec key
          • IXFR—Incremental transfer
          • KEY—Security key
          • KX—Key exchanger
          • LOC—Location information
          • MAILA—Mail agent route records
          • MAILB—Mailbox-related route records (MB, MG, or MR)
          • MB—Mailbox domain name
          • MD—Mail destination
          • MF—Mail forwarder
          • MG—Mail group member
          • MINFO—Mailbox or mail list information
          • MR—Mail rename domain name
          • MX—Mail exchange
          • NAPTR—Naming authority pointer
          • NIMLOC—Nimrod locator
          • NINFO—Identical to TXT RR [RR56]
          • NS—Authoritative name server
          • NSAP
          • NSAP-PTR—Domain name pointer for an NSAP style
          • NSEC—Authenticated denial of existence
          • NSEC3—Authenticated denial of existence
          • NSEC3PARAM—NSEC3 parameters
          • NULL—Null resource record
          • NXT—Next domain
          • OPT—Options
          • PTR—Domain name pointer
          • PX—X.400 mail mapping information
          • RKEY—Record key
          • RP—Responsible person
          • RRSIG—Resource resource digital signature
          • RT—Route through
          • SIG—Security signature
          • SINK—Kitchen sink
          • SOA—Marks the start of a zone of authority
          • SPF—Sender policy framework
          • SRV—Server selection
          • SSHFP—SSH key fingerprint
          • TALINK—Trusted anchor link
          • TKEY—Transaction key
          • TSIG—Transaction signature
          • TXT—Text strings
          • WKS—Well-known service description
          • X25—X.25 PSDN address
          Domain Name Enter the domain name.
          Negate Click to apply the rule to any query type and domain name, except those selected.
        • If you select the Notify or Status request type, click the add-icon.png Add icon to add zone names.

          redirection-rules-dns-header-notify.png 
        • If you select the Update request type, click the add-icon.png Add icon to add domain names.

          redirection-rules-dns-header-update.png
    5. Click Next or select step 5, DNS Action, to define the proxy settings for the rule.
      1. For Use Proxy Profile Settings action, enter information for the following fields.

        redirection-rules-dns-action.png
         
        Field Description
        DNS Proxy Profile Select a DNS proxy profile to associate with the redirection rule. Click add_icon_blue.png Create New to add a proxy profile. For more information, see Configure DNS Proxy Profiles, below.
        Number of Domains To Cache

        Enter the number of DNS domains to cache. The DNS server uses information in its cache to respond to DNS queries. When a DNS domain entry in the DNS domain name cache times out depends on the TTL value in the DNS response, as defined in the DNS protocol. 

        Range: 0 through 65535
        DNS-64 Prefix Enter the DNS extensions for network address translation from IPv6 clients to IPv4 servers. 
        Cache TTL Upper Limit Enter the upper limit of the time to live for the network obfuscation cache, in seconds.
        Override Question Enter the domain name to have DNS proxy override the domain name in the question section with the configured domain name before it sends the query to the server. When DNS forwards the response to the client, it restores the original domain name.
        Only IPv4 WAN Available

        Click when the WAN uses only IPv4. Click the toggle-button.png toggle to enable logging.

        Default: Disabled.
        Apply Policy-Based Forwarding

        Click to look up SD-WAN policy rules to determine the path on which to send the DNS query. Click the toggle-button.png toggle to enable logging.

        Default: Disabled.
      2. If you select Use Server Settings, enter information for the following fields.

        redirection-rules-dns-action1.png
        Field Description
        IP Address For type A/AAAA DNS queries only, enter the static IPv4 or IPv6 address to send in the response to a DNS query.
        IP SLA Monitor

        Select a monitor object to evaluate the state of the IP addresses configured in the resolver. The evaluation is done when checking the availability of the DNS server using the method configured in the Mode field. Based on the results of the evaluation, the traffic is sent accordingly. Click the plus-icon-blue.png Add icon to add a monitor.

        If you do not select a monitor object, all the IP addresses configured in the resolver appear active regardless of their actual status.
      3. To take no action, select None (this is the default).
    6. Click Next or select step 6, Review and Submit.
      1. In the General section, enter information for the following fields.

        general-page.png
         
        Field Description
        Name Enter the name or the rule.
        Description (Optional) Enter a description for the rule.

        Tags

        		 (Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.

        Logging Enabled

        Click the toggle-button.png toggle to enable logging for the rule.

        Default: Disabled.
      2. For all other sections, review the information. To make changes, click the pencil-icon-blue-on-white-22.png Edit icon.
      3. Click Add Redirection Rules. The Redirection Rules screen displays the saved rule.

        add-dns-proxy-redirect.png
  3. Click Next or select step 2, DNS Settings, to configure DNS cache details.

    add-dns-proxy-dns-settings.png
     
    Field Description
    Enabled Domain Cache Click to disable domain cache. By default, Enable Domain Cache is enabled.
    • Cache Size
    		 Enter the domain cache size, in GB.
    • Maximum TTL
    		 Enter the maximum TTL to cache (in seconds). When a DNS domain entry in the DNS domain name cache times out depends on the TTL value in the DNS response, as defined in the DNS protocol.
  4. Click Next or select step 3, Permissions. Change the permissions for one or more roles, if needed.

    add-dns-proxy-permissions.png
  5. Click Next or select step 4, Review and Submit.
  6. In the General section, enter a name for the DNS proxy policy and, optionally, a description and a tag.

    add-dns-proxy-review.png
  7. For all other sections, review the information. To make changes, click the pencil-icon-blue-on-white-22.png Edit icon.
  8. Click Submit.

Configure a DNS Proxy Profile

  1. In Tenant view, select Configure > Secure SD-WAN > Network Services > DNS Proxy.

    dns-proxy.png
    • If you have not yet configured a DNS proxy profile, select the Profile tab, and then click Add New DNS Proxy Profile.
    • If you have configured one or more DNS proxy profiles, select the Profile tab. The following screen displays.

      add-dns-proxy-dns-profile.png
  2. Click the add-icon-pl.png Add icon. The Add DNS Proxy Profile screen displays.
  3. In the Add DNS Proxy Profile screen, click workflow step 1, Availability Mode, to select the mode to use to check the availability of the server:
    • Failover (default)—Click to redirect the traffic through another resolver if the resolver fails or is not reachable. This is the default.
    • Round Robin—Click to use a round-robin method to distribute traffic among the resolvers. This ensures that no one endpoint receives more traffic than the other endpoints.

      add-dns-proxy-profile.png 
  4. Click Next or select step 2, Resolvers, to add DNS resolvers for your domain names to receive in DNS requests.

    avaliabilty-mode-tab1.png
    1. In the DNS Resolver table, click the add-icon-pl.png Add icon. The Create DNS Resolver window displays.

      settings.png
    2. In step 1, Settings, enter information for the following fields.
       
      Field Description
      Resolver Type

      Select the resolver type to use.
      • Remote SD-WAN Site
      		 Click, and then in the Appliance field,  select an SD-WAN site from which to send traffic for DNS resolution. Configuring a site name is commonly used to optimize direct internet access (DIA) and direct cloud access (DCA). Then, go to step 3-d below.
      • Network

      Click, and then in the Network field, select which local WAN or LAN networks to use to proxy a DNS request.
       

      resolver-network.png

      When you select Network field, the step 2, DHCP-Learned DNS Server Monitors is added to the workflow.
       

      resolver-network-new-step.png
      Mode

      Select the mode to use to check the availability of the DNS server:

      • Failover—Click to redirect the traffic through another resolver server if the server configured in resolver fails or not reachable. This is the default.
      • Round-robin—Click to use a round-robin method to send traffic among the resolvers.

      Default: Failover
    3. Click Next or select step 2, DHCP-Learned DNS Server Monitors, to configure a server monitor for the server assigned by Dynamic Host Configuration Protocol (DHCP). Enter information for the following fields.

      dhcp-dns.png
      Field Description
      DHCP-Learned DNS Server Monitor

      Click the toggle-button.png toggle button to enable DHCP-learned DNS server monitor. When a WAN on which DHCP is configured uses DNS servers from a service provider to resolve IP addresses, the DHCP server monitor checks whether the DNS servers are incorrect or unreachable.

      Default: Disabled
      Domain Name (Required) Enter the domain name for the DNS server.
      Network (Required) Enter the network used to derive the source interface.
      Interval

      Click and enter the interval between monitor packets, in seconds.

      Default: 1 second

      Range: 1 through 60 seconds
      Maximum Threshold

      Enter the maximum number of monitor packet retransmissions before the node is declared as down.
      Default: 1 second

      Range: 1 through 60
    4. Click Next or select step 3, DNS Servers, to add one or more DNS servers for the resolver. Enter information for the following fields.

      dns-server1.png
      Field Description
      IP Address Enter the IPv4 or IPv6 address of the DNS server.
      Port Enter the port number to use to connect to the DNS server.
      IP SLA Monitor

      Select an IP SLA monitor object to evaluate the state of the IP addresses configured in the resolver. The evaluation is done when checking the availability of the DNS server using the method configured in the Mode field. Based on the results of the evaluation, the traffic is sent accordingly. Click the plus-icon-blue.png Add icon to add an IP SLA monitor.

      If you do not select an IP SLA monitor object, all the IP addresses configured in the resolver appear active regardless of their actual status. 
    5. Click Next or select step 4, Review and Submit.
    6. In the General section, enter a name for the DNS resolver. You can also add a description and tags.

      review-step1.png
    7. For all other sections, review the information. To make changes, click the blue_edit_icon.png Edit icon.
    8. Click Add DNS Resolver.
  5. Click Next or select step 3, Permissions, to set or update the permission for each role. The permission for each role is selected by default, and you can update it. The role permissions are Read, Update, and Delete.

    permissions-step.png
     
  6. Click Next or select step 4, Review and Submit, to review the information.

    dns-proxy-profile-review.png
  7. In the General section, enter a name for the DNS proxy profile, description and tags.
  8. For all other sections, review the information. To make changes, click the blue_edit_icon.png Edit icon.
  9. Click Submit.

Manage DNS Proxy Policies

You can perform the following actions on DNS proxy policies:

  • Edit
  • Clone
  • Copy to subtenant
  • Delete
  • View references
  • Propagate
  • Compare versions
  • View the audit log
  • Enable and disable auto delete

For information about these actions, see Manage SD-WAN Policies and Profiles.

Supported Software Information 

Releases 13.1.1 and later supports all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Concerto
  2. Tags
    This page has no tags.