Skip to main content
Versa Networks

Configure DNS Proxy for Concerto

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

A DNS proxy intercepts incoming Domain Name System (DNS) requests from a client and redirects them to a DNS server. The DNS server then resolves the DNS queries either using information in its DNS cache or by forwarding requests to other DNS servers.

You can configure a Concerto device to act as a DNS proxy. To do this, you create a DNS proxy profile that defines the DNS resolvers to use to resolve the domain names received in DNS requests, and you define which interfaces and source NAT (SNAT) pools to use to reach the DNS resolvers. You then create DNS profiles that define the domain name patterns and types to be resolved by a DNS proxy profile, and DNS then associates these profiles with DNS policies.

You can configure multiple DNS servers to ensure that incoming DNS requests are sent to the appropriate DNS server or servers. For example, the DNS path selection mechanism can send corporate DNS queries to a corporate DNS server while sending other queries to the ISP's DNS servers.

To direct incoming DNS requests to other DNS servers, you create a redirection rule in a DNS policy, and you then associate a DNS proxy profile with the rule. You can configure multiple redirection rules. You can also configure a redirection rule that responds to a domain name with a static IP address.

Configure DNS Proxy Profiles

To configure DNS proxy profiles:

  1. From the Tenants screen, select the tenant for which you want to configure DNS proxy profiles.
  2. Go to Configure > Secure SD-WAN > Profile Elements > Policies > Network Services > DNS Proxy > DNS Proxy Profile.

    dns-proxy-menu.png

    The DNS Proxy Profile main screen displays.

    dns-proxy-profile-main.png
  3. If there are no existing profiles, click Create DNS Proxy Profile or click + Add. The Add DNS Proxy Profile window displays.

    add-dns-proxy-profile-availability-mode-1.png
  4. In Step 1, Availability Mode, select the mode to use to check the availability of the server:
    • Failover (default)—Click to redirect the traffic through another resolver if the resolver fails or is not reachable. This is the default.
    • Round Robin—Click to use a round-robin method to distribute traffic among the resolvers. This ensures that no one endpoint receives more traffic than the other endpoints.
  5. Click Next to go to Step 2, Resolver, to add DNS resolvers.

    add-dns-proxy-profile-resolver-2.png
    1. In the Resolver table, click the + Add icon. The Add Resolver Rule popup window displays.

      add-resolver-rule-settings-1.png
    2. In Step 1, Settings, enter information for the following fields.
       

      Field

      Description
      Site

      Click, and then in the Appliance Name field, select an SD-WAN site from to which to send traffic for DNS resolution. Configuring a site name is commonly used to optimize direct internet access (DIA) and direct cloud access (DCA).
      Network

      Click, and then in the Network field, select which local WAN or LAN networks to use to proxy a DNS request.

      dns-proxy-resolver-type-network.png
      Mode

      Select the mode to use to check the availability of the DNS server:

      • Failover—Click to redirect the traffic through another resolver server if the server configured in resolver fails or not reachable. This is the default.
      • Round-robin—Click to use a round-robin method to send traffic among the resolvers.

      Default: Failover
    3. Click Next to go to Step 2, DHCP Server Monitor, to configure a server monitor for the server assigned by Dynamic Host Configuration Protocol (DHCP). Enter information for the following fields.

      add-resolver-rule-dhcp-server-monitor-2.png
       

      Field

      Description
      DHCP Server Monitor DHCP server monitor is enabled by default. When a WAN on which DHCP is configured uses DNS servers from a service provider to resolve IP addresses, the DHCP server monitor checks whether the DNS servers are incorrect or unreachable. To disable the server monitor, slide the toggle button to disable server monitor.

      Domain Name

      		 Enter the domain name for the DNS server.

      Network

      Enter the network used to derive the source interface.

      Next Hop Site Name

      Enter the name of the next-hop SD-WAN site.

      Interval

      Click and enter the interval between monitor packets, in seconds.

      Default: 1

      Value: 1 through 60 seconds

      Maximum Threshold

      Enter the maximum number of monitor packet retransmissions before the node is declared as down.
      Default: 1

      Value: 1 through 60
    4. Click Next to go to Step 3, DNS Servers, to add DNS resolvers. Enter information for the following fields.

      add-resolver-rule-dns-servers-3.png
       

      Field

      Description
      DNS Server Name Enter a name for the DNS server.
      IP Address Enter the IPv4 or IPv6 address of the DNS server.
      Port Enter the port number to use to connect to the DNS server.
      Monitor Object

      Select a monitor object to evaluate the state of the IP addresses configured in the resolver. The evaluation is done when checking the availability of the DNS server using the method configured in the Mode field. Based on the results of the evaluation, the traffic is sent accordingly. Click the add_icon_blue.png Add icon to add a monitor.

      If you do not select a monitor object, all the IP addresses configured in the resolver appear active regardless of their actual status.
    5. Click theplus-icon-blue.png Add icon to add one or more DNS servers.
    6. Click Next to go to Step 4, Review and Submit, to review the information.

      add-resolver-rule-review-submit-4.png
    7. In the General section, enter a name for the DNS resolver and, optionally, a description.
    8. For all other sections, review the information. To make changes, click the Edit icon.
    9. Click Save.
  6. Click Next to go to Step 3, Permissions, to set or update the permission for each role. The roles are Enterprise Administrator, Enterprise Operator, Service Provider Administrator, and Service Provider Operator. The permission for each role is selected by default, and you can update it. The role permissions are Edit, Hide, and Read.

    add-dns-proxy-profile-permissions-3.png
  7. Click Next to go to Step 4, Review and Submit, to review the information.

    add-dns-proxy-profile-review-submit-4.png
  8. In the General section, enter a name for the DNS proxy profile and, optionally, a description.
  9. For all other sections, review the information. To make changes, click the  Edit icon.
  10. Click Save.

Configure DNS Policies

To direct incoming DNS requests to other DNS servers, you create DNS policies and add redirection rules. You can associate a DNS proxy profile with a DNS redirection rule if you select proxy settings as DNS action for a redirection rule

To configure a DNS policy:

  1. From the Tenants screen, select the tenant for which you want to configure DNS proxy policies.
  2. Go to Configure > Secure SD-WAN > Profile Elements > Policies > Network Services > DNS Proxy > DNS Proxy Policy.

    dns-proxy-policy-menu.png

    The Domain Name System (DNS) Proxy Policy main screen displays.

    dns-proxy-policy-main.png
  3. If there are no existing profiles, click Create DNS Proxy Policy or click + Add. The Add Domain Name System (DNS) Proxy Policy window displays. 

    add-dns-proxy-policy-1.png
  4. In Step 1, Redirection Rules, click + Add to add a redirection rule. The Add Redirection Rule popup window displays. By default, all source and destination traffic is included. You can specify the source and destination addresses and zones from which traffic originates. 

    add-redirection-rule-1-source-address-tab.png
  5. Select a source address group from which traffic originates, or use the search box to find a source address group. You can click + Add Variable to create a variable for the source address. Enter a name for the variable, click the add-icon-white-on-black-22.png Plus icon, and then click Add. You can add multiple variables before clicking the Add button. 

    add-address-variable-v2.png

    You can also enter values for the IP address or IP range, IPv4 or the IPv6 subnet, or the IP wildcard for the rule to match. To create variables for these values, click + Add Variable for that field. You can add multiple variables for each field.
    • To add a variable for the IP address or IP range, select IPv4 Address, IPv4 Range, or IPv6 Address in the drop-down list, click the add-icon-white-on-black-22.png Plus icon, the click Add.

      add-IP-address-range-variable-border.png
    • To add a variable for the IP subnet, select IP Subnet or IPv6 Subnet in the drop-down list, click the add-icon-white-on-black-22.png Plus icon, the click Add.

      add-IP-subnet-variable-border.png
    • To add a variable for the IP wildcard, enter a name for the variable, click the add-icon-white-on-black-22.png Plus icon, and then click Add.

      add-address-variable-v2.png
  6. Click the Destination Address tab, select a destination address group from which traffic originates, or use the search box to find a destination address group. You can also  enter values for the IP address or IP range, IPv4 or the IPv6 subnet, or the IP wildcard for the rule to match. You can click + Add Variable to create variables for these values. For more information on adding variables, see step 5.
  7. Select the Source Zone tab. In the Source Zones field, click the down arrow, and then select one or more zones. To create a variable for the source zone, click add_icon_blue.png Add Variable.

    add-redirection-rule-1-source-zones-tab.png
  8. Select the Destination Zone tab, and then enter the information for the destination zone. The fields are the same as for the Source Zone, described above.
  9. Click Next to go to Step 2, Users and Groups. By default, all users and groups are included. To customize the specific users or groups to be included, enter the following information.

    add-redirection-rule-2-user-groups-tab.png
  10. Select the user type to match from All Users, Known Users, Unknown Users, and Selected Users.
  11. If you select Selected Users, the following options display.

    selected-users-option-user-groups-tab.png
  12. Select a Users and Groups Profile. For more information, see Configure User and Device Authentication.
  13. Select the User Groups tab to search for and select user groups.
  14. Select the Users tab to search for and select users. 

    selected-users-option-users-tab.png
  15. Click Next to go to Step 3, Source Geo Location, to specify the geographic regions for source and destination traffic source.
    1. On the Source Address tab, click Select Country to select one or more countries.
    2. Click the Destination tab, and then click Select Country to select one or more countries. 

      add-redirection-rule-3.png
  16. Click Next to go to Step 4, DNS Headers, to define DNS operation codes and matching criteria for incoming packets. 

    add-redirection-rule-4.png
  17. In the Operating Code field, select the type of DNS opcode to which the rule applies:
    • IQuery—Send a request for an inverse DNS query command.
    • Notify—Send a request for a DNS notify command.
    • Query—Send a request for a DNS query command.
    • Status—Send a request for a DNS status command.
    • Update—Send a request for a DNS update command.

    For each request type, you must enter additional information, as described in the following steps.

  18. If you select the IQuery request type, enter IPv4 or IPv6 addresses to which to send an inverse query. Click the add_icon_blue.pngAdd icon to add one or more IP addresses.

    opcode-iquery.png
  19. If you select the Query request type, enter information for the following fields.

    opcode-query.png
     

    Field

    Description
    Query Type

    Select the DNS resource record (RR) types to query:

    • AAAA—IPv6 address
    • AFSDB—AFS database location
    • ALL—All resource record types
    • APL—Address prefix list
    • ATM—ATM address
    • AXFR—Asynchronous Transfer Full Range 
    • CAA—Certification Authority Authorization
    • CERT—Certificates
    • CNAME—Canonical name for an alias
    • DHCID—DHCP ID
    • DNSKEY—DNS key
    • DS—Delegation signer
    • EID—Endpoint identifier
    • GPOS—Geographical position
    • HINFO—Host information
    • HIP—Host identity protocol
    • ISDN—ISDN address
    • ISECKEY—IPsec key
    • IXFR—Incremental transfer
    • KEY—Security key
    • KX—Key exchanger
    • LOC—Location information
    • MAILA—Mail agent route records
    • MAILB—Mailbox-related route records (MB, MG, or MR)
    • MB—Mailbox domain name
    • MD—Mail destination
    • MF—Mail forwarder
    • MG—Mail group member
    • MINFO—Mailbox or mail list information
    • MR—Mail rename domain name
    • MX—Mail exchange
    • NAPTR—Naming authority pointer
    • NIMLOC—Nimrod locator
    • NINFO—Identical to TXT RR [RR56]
    • NS—Authoritative name server
    • NSAP-PTR—Domain name pointer for an NSAP style
    • NSEC—Authenticated denial of existence
    • NSEC3—Authenticated denial of existence
    • NSEC3PARAM—NSEC3 parameters
    • NULL—Null resource record
    • NXT—Next domain
    • OPT—Options
    • PTR—Domain name pointer
    • PX—X.400 mail mapping information
    • RKEY—Record key
    • RP—Responsible person
    • RRSIG—Resource resource digital signature
    • RT—Route through
    • SIG—Security signature
    • SINK—Kitchen sink
    • SOA—Marks the start of a zone of authority
    • SPF—Sender policy framework
    • SRV—Server selection
    • SSHFP—SSH key fingerprint
    • TALINK—Trusted anchor link
    • TKEY—Transaction key
    • TSIG—Transaction signature
    • TXT—Text strings
    • WKS—Well-known service description
    • X25—X.25 PSDN address
    Domain Name Enter the domain name.
    Negate Click to apply the rule to any query type and domain name, except those selected.
  20. If you select the Notify or Status request type, click the add_icon_blue.png Add icon to add zone names. 

    opcode-status.png
  21. If you select the Update request type, click the add_icon_blue.png Add icon to add domain names.

    opcode-update.png
  22. Click Next to go to Step 5, DNS Action, to define the proxy settings for the rule.

    add-redirection-rule-5.png
  23. To take no action, select None (this is the default). By default, the Enable Logging toggle button is enabled. Slide the toggle button to disable logging.
  24. If you select Use Proxy Settings, enter information for the following fields.

    add-redirection-rule-use-proxy-settings.png
     

    Field

    Description
    Enable Logging By default, the Enable Logging toggle button is enabled. Click to disable logs.
    DNS Proxy Profile Select a DNS proxy profile to associate with the redirection rule. For more information, see Configure DNS Proxy Profiles above.
    Number of Domains To Cache

    Enter the number of DNS domains to cache. The DNS server uses information in its cache to respond to DNS queries. When a DNS domain entry in the DNS domain name cache times out depends on the TTL value in the DNS response, as defined in the DNS protocol. 

    Range: 0 through 65535
    DNS-64 Prefix Enter the DNS extensions for network address translation from IPv6 clients to IPv4 servers. For more information, see Configure Profiles.
    Cache TTL Upper Limit Enter the upper limit of the time to live for the network obfuscation cache, in seconds.
    Override Question Enter the domain name to have DNS proxy override the domain name in the question section with the configured domain name before it sends the query to the server. When DNS forwards the response to the client, it restores the original domain name.
    Only IPv4 WAN Available Click when the WAN uses only IPv4. This option is disabled by default. 
    Apply Policy-Based Forwarding Click to look up SD-WAN policy rules to determine the path on which to send the DNS query. This option is disabled by default.
  25. If you select Use Server Settings, enter information for the following fields.

    dns-actions-use-server-settings.png
     

    Field

    Description
    Enable Logging By default, the Enable Logging toggle button is enabled. Click to disable logs.
    IP Address For type A/AAAA DNS queries only, enter the static IPv4 or IPv6 address to send in the response to a DNS query.
    Monitor Object

    Select a monitor object to evaluate the state of the IP addresses configured in the resolver. The evaluation is done when checking the availability of the DNS server using the method configured in the Mode field. Based on the results of the evaluation, the traffic is sent accordingly. Click the add_icon_blue.png Add icon to add a monitor.

    If you do not select a monitor object, all the IP addresses configured in the resolver appear active regardless of their actual status.
  26. Click Next to go to Step 4, Review and Submit, to review the information. 

    add-redirection-rule-6.png
    1. In the General section, enter a name for the DNS redirection rule and, optionally, a description.
    2. For all other sections, review the information. To make changes, click the  Edit icon.
    3. Click Save.
  27. In the Add Domain Name System (DNS) Proxy Policy window, click Next to go to Step 2, DNS Settings, to configure DNS cache details. 

    add-dns-proxy-policy-2.png
    1. By default, the Enable Domain Cache toggle button is enabled. Click to disable domain cache.
    2. Enter the domain cache size and the maximum TTL to cache (in seconds). When a DNS domain entry in the DNS domain name cache times out depends on the TTL value in the DNS response, as defined in the DNS protocol.
  28. Click Next to go to Step 3, Permissions.

    add-dns-proxy-policy-3.png
  29. Change the permissions for one or more roles, if needed.
  30. Click Next to go to Step 4, Review and Submit, to review the information.

    add-dns-proxy-policy-4.png
  31.  In the General section, enter a name for the DNS proxy policy and, optionally, a description.
  32. For all other sections, review the information. To make changes, click the Edit icon.
  33. Click Save.

Supported Software Information 

Releases 12.1.1 and later support all content described in this article.