Skip to main content
Versa Networks

Configure a DNS Proxy

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

A DNS proxy intercepts incoming DNS requests from a client and redirects them to a DNS server. The DNS server then resolves the DNS queries either using information in its DNS cache or by forwarding requests to other DNS servers.

You can configure a Titan device to act as a DNS proxy. To do this, you create a DNS proxy profile that defines the DNS resolvers to use to resolve the domain names received in DNS requests, and you define which interfaces and source NAT (SNAT) pools to use to reach the DNS resolvers. You then create DNS profiles that define the domain name patterns and types to be resolved by a DNS proxy profile, and DNS then associates these profiles with DNS policies.

You can configure multiple DNS servers to ensure that incoming DNS requests are sent to the appropriate DNS server or servers. For example, the DNS path selection mechanism can send corporate DNS queries to a corporate DNS server while sending other queries to the ISP's DNS servers. To direct incoming DNS requests to other DNS servers, you create a redirection rule in a DNS policy, and you then associate a DNS proxy profile with the rule. You can configure multiple redirection rules. You can also configure a redirection rule that responds to a domain name with a static IP address.

Note: You must be using the Secure Application Optimization license to use DNS proxy configuration. For information about adding licenses, see Add Devices Using Titan Portal.

Configure DNS Proxy Profiles

To create a DNS proxy profile:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb, and then click Configure to open the site information window.

    configure-menu-home.jpg
     
  3. Select the DNS Proxy tab.

    dns-proxy-profile-tab.png
     
  4. In the Profile tab, click icon-profile.png to display the DNS Proxy > Profile > Add screen. Enter information for the following fields.

    dns-proxy-add-profile.png
     
    Field Description
    Profile Name (Required) Enter a name for the DNS profile.
    Mode

    Select the mode to use to check the availability of the resolver:

    • Failover—Click to redirect the traffic through another resolver if the resolver fails or is not reachable. This is the default
    • Round-Robin—Click to use a round-robin method to send traffic among the resolvers.

    Default: Failover
    Resolver (Group of Fields)  
    • Resolver Name (Required)
    		 Enter a name for the resolver profile.
    • Device Name
    		 Click and select a device to which to send traffic for DNS resolution.
    • Network
    		 Click and select which local WAN or LAN networks to use to proxy a DNS request.
    • Mode

    Select the mode to use to check the availability of the DNS server:

    • Failover—Click to redirect the traffic through another resolver server if the server configured in resolver fails or not reachable. This is the default.
    • Round-robin—Click to use a round-robin method to send traffic among the resolvers.

    Default: Failover
    • SNAT Pool

    Select an SNAT pool to associate with the DNS profile. The address in this pool can be used to create a new proxy session.

    Click icon-snat-pool.png to add an SNAT pool, and enter information for the following fields.
     

    dns-proxy-add-profile-add-snat.png

    • Name (Required)—Enter a name for the SNAT pool.
    • Egress Network (Required)—Select an egress network to associate with the SNAT pool.

    Click Add, and then click Continue.
    • Servers

    Select a DNS server to associate with the DNS profile.

    Click icon-add-server.png to add a new server, and enter information for the following fields.

     

    dns-proxy-add-profile-add-server.png

     

    • Name (Required)—Enter a name for the DNS server.
    • IP Address (Required)—Enter the IP address of the DNS server. The address can be an IPv4 or an IPv6 address.
    • Port (Required)—Enter the port number to use to connect to the DNS server.
    • Monitor (Required)—Select the monitor object to use. Monitor object evaluates the state of the IP addresses configured in the resolver. The DNS proxy responds to DNS query with IPv4 or IPv6 addresses whose monitor status is up.

      • Click icon-monitor.png to add a new monitor, and enter information for the following fields.

        dns-proxy-add-profile-add-monitor.png

        • Name (Required)—Enter a name for the monitor object.

        • Monitor Type (Required)—Select the type of packets to send to the IP address:

          • DNS

          • ICMP

          • TCP

        • IP Address (Required)—Enter the IP address to monitor.

        • Next Hop—Select the device to use as the next hop.

        • Networks—Select the source network interface.

        • Source Interface—Select the source interface on which to send the probe packets. This interface determines the routing instance through which to send the probe packets.

      • Click Add and then click Continue.

    • Click Add.
    Add Resolver Click icon-add-resolver.png .
  5. Click Add, and then click Publish.

Configure DNS Proxy Rules

To create a new DNS proxy rule:

  1. Click Configure in the left menu bar to open the Configure dashboard.
  2. Hover over the device in the honeycomb, and then click Configure to open the site information window.
  3. Click DNS Proxy tab, and then click Rules tab .

    dns-proxy-rules.png
     
  4. If necessary, click Reorder Rules to enter rule reorder mode.
    1. To change a rule order, click the rule name and drag it to a different location in the rule set.
    2. Click Publish Reordered Rules to save the changes to the Titan cloud.
    3. By default, the rules are displayed in grid view. To change the view to list, click the list view icon.
    4. To pin the view to grid or list for the login session, use the pin icon.
  5. In the Rules tab, click icon-rule.png to display the DNS Proxy > Rules > Add screen. Enter information for the following fields.

    dns-proxy-rules-add.png
     
    Field Description
    Rule Name (Required) Enter a name for the DNS proxy rule.
    Description Enter a text description for the rule. The description can be a maximum of 63 characters.
    Match Criteria

    Click Address, Hostname, DNS Header, or User and Group tab to add details for that criteria type. Match criteria details are listed in the Apply Match Criteria for DNS Proxy Rules section.
    Scope (Group of Fields)  
    • Source Zone

    In the Please Select field, click the down arrow. A popup window displays the configured interfaces and tunnels. Select the type:

    • SD-WAN
    • Untrusted
    • Wired LAN
    • Wireless LAN

     

    dns-proxy-rules-source-zone.png
    • Arrow

    Choose a connection type:

    • icon-arrow1.png One-way
    • icon-arrow2.png Two-way
    • Destination Zone

    In the Please Select field, click the down arrow. A popup window displays the configured interfaces and tunnels. Select the type:

    • SD-WAN
    • Untrusted
    • Wired LAN

     

    dns-proxy-rules-destination-zone.png
    Action (Group of Fields) Configure the action to take when a rule matches.
    • Proxy Setting

    Click to use proxy settings, and then enter information for the following fields to configure the proxy settings:

     

    dns-action-proxy-setting.png

    • Select Profile—Select the name of the DNS proxy profile.
    • Apply Policy-Based Forwarding—Click to look up steering policy rules to determine the path on which to send the DNS query.
    • Server Setting

    Click to use server settings, and then enter information for the following fields to configure the server settings.

     

    dns-action-server-setting.png

     

    • IP Address—For A/AAAA DNS queries, enter the static IPv4 or IPv6 address to send in the response to a DNS query.
    • Monitor—Select the monitor object to use. Monitoring object evaluates the state of the IP addresses configured in the resolver. The DNS proxy responds to DNS query with IPv4 or IPv6 addresses whose monitor status is up.

      • Click icon-monitor.png to add a new monitor, and enter information for the following fields.

        dns-proxy-add-profile-add-monitor.png

        • Name (Required)—Enter a name for the monitor object.

        • Monitor Type (Required)—Select the type of packets to send to the IP address:

          • DNS

          • ICMP

          • TCP

        • IP Address (Required)—Enter the IP address to monitor.

        • Next Hop—Select the device to use as the next hop.

        • Networks—Select the source network interface.

        • Source Interface—Select the source interface on which to send the probe packets. This interface determines the routing instance through which to send the probe packets.

        • Click Add and then click Continue.

    • Click Add.
    • None

    Click to take no action.
     

    dns-action-none.png
    Logging (Group of Fields) Configure log settings.
    • None
    		 Click to perform no logging.
    • Default
    		 Click to use default logging.
    • Custom

    Click to configure logging to a customer log server. Based on the rule match, the device may send a large number of log messages.

     

    dns-logging-custom.png

    • Click the down arrow in the Please Select field to select a log profile. To create a new custom flow logs profile, click icon-log-server.png . For more information, see Add Custom Logs Profile.
  6. Click Add, and then click Publish.

Apply Match Criteria for DNS Proxy Rules

You can apply the following match criteria types in a DNS proxy rule:

  • Address
  • DNS header
  • Hostname
  • User and Group

    dns-proxy-rules-match-criteria.png

To specify the match criteria for a DNS proxy rule:

  1. Select the Address tab to display the address window.

    dns-proxy-rules-match-criteria-address.png
     
  2. Click the toggle switch to enter the source or destination IP address, and then click Source.

    dns-proxy-rules-match-criteria-address1.png
     
  3. Enter a source IP address in CIDR format, and then click the icon-plus.png icon. Click the icon-minus.png icon to remove an IP address from the list.

    dns-proxy-rules-add-rules-edit source.png
     
  4. Enter a destination IP address in CIDR format, and then click the icon-plus.png Add icon. Click the icon-minus.png Delete icon to remove an IP address from the list.

    dns-proxy-rules-add-rules-edit destination.png
     

To specify hostname match criteria for a DNS proxy rule:

  1. Select the Hostname tab to display the Hostname window.

    ​​​​dns-proxy-rules-match-criteria-hostname.png
     
  2. Click the toggle switch to enter the source or destination hostname, and then click Source.

    dns-proxy-rules-match-criteria-hostname1.png
     
  3. Enter a source hostname, and then click the icon-plus.png Add icon. Click the icon-minus.png Delete icon to remove a hostname from the list.

    dns-proxy-rules-add-rules-edit source-hostname.png
     
  4. Enter a destination hostname, and then click the icon-plus.png Add icon. Click the icon-minus.png Delete icon to remove a hostname from the list.

    dns-proxy-rules-add-rules-edit-destination-hostname.png
     
  5. Click Continue.

To specify DNS header match criteria for a DNS proxy rule:

  1. Select the DNS Header tab to display the DNS header window.

    dns-proxy-rules-match-criteria-dns-header.png
     
  2. Select the type of query to associate with the rule:
    • A—Click to select an IPv4 query.
    • AAAA—Click to select an IPv6 query.
    • MX—Click to select a mail server query.
  3. Query Record—Enter the domain name to match with the query and then click icon-add.png

To specify user and group match criteria for a DNS proxy rule:

  1. Select the User and Group tab to display the user and group window.

    dns-proxy-rules-match-criteria-user-group.png
     
  2. Select a user to bind with the security policy:
    • Any
    • Known
    • Selected
    • Unknown
  3. To select a specific user and group, click Selected and then do the following:
    1. In the LDAP drop-down list, select an LDAP user group profile.
    2. Use the search box to search for the user and group, or click the check box next to the user and group name.

      dns-proxy-rules-match-criteria-user-group1.png
       
  4. Click Add.
  5. To edit a rule, in the DNS Proxy > Rules tab, click a rule name. Then click Save to save the changes to the Titan cloud.
  6. To delete a rule, in the DNS Proxy > Rules tab, click the X. Then click Save to save the changes to the Titan cloud.

Supported Software Information

Releases 10.3.4 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Titan
  2. Tags
    This page has no tags.