Configure DNS forwarding

DNS forwarding allows you to forward requests from a local DNS server to a recursive DNS server outside the corporate network. This configuration is necessary for your ​SIA​ implementation. By directing your enterprise's external DNS traffic to ​SIA​, the requested domains are checked against ​SIA​ threat intelligence.

Depending on your network topology and how DNS servers communicate within your organization's network, you may only need to configure the primary DNS servers to forward requests to ​SIA​.

This table lists instructions for common DNS server products. Refer to the instructions for your organization's DNS server product.

📘

​SIA​ offers a 100% uptime service level, as defined in the corresponding Service Level Agreement. If your organization is concerned with connectivity between your forwarding DNS name server and ​Akamai​, you can configure your DNS name server to resolve domains. In most cases, this is done by allowing your DNS name server to use root hints for the resolution.

Before you begin, make sure that you note the primary and secondary IP addresses of your ​SIA​ recursive servers. To learn how to view this information in ​SIA​, see View DNS server information.

View DNS server information

You can view the IPv4 and IPv6 address information for the primary and secondary ​Akamai​ DNS recursive servers that are assigned to your enterprise. Traffic is forwarded to these servers. The IP address information is available on the Connection Info page. You can also find this information on the Connection Info dashboard widget.

To view DNS server information:

  1. In the Threat Protection navigation menu, select Clients & Connectors > Connection Info.

  2. On the Connection Info page, take note of the DNS Server IP addresses.

📘

The DNS Server information is also available on the Connection Info dashboard widget. While you can add this widget to any dashboard, it’s available by default on the Threat Overview dashboard.

Configure DNS forwarders on Microsoft Windows Server 2008 R2 and 2016

Before you begin

  • Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

  • Confirm that you have a root hints file configured. The root hints file contains the list of root DNS servers that AD contacts for recursion.

Complete these procedures to configure DNS forwarding on the Microsoft Windows Server 2008 R2 and 2016. You can configure DNS forwarding with the Windows Server graphical user interface or the command line.

Graphical user interface

To configure DNS forwarders on Windows using the graphical user interface:

  1. Click Start and then Administrative Tools. Click DNS.

  2. Right-click the DNS server that you want to configure as a forwarder.

  3. In the Action menu, select Properties.

  4. Click the Forwarders tab.

  5. Click Edit.

  6. In the Edit Forwarders dialog, enter the primary IP address of the ​SIA​ recursive DNS server and press Enter.

  7. Enter the secondary IP address of the ​SIA​ recursive DNS server and press Enter.

  8. If other servers are listed as forwarders, delete this information. The primary and secondary recursive DNS servers should be the only forwarders listed.

  9. To change the number of seconds that a DNS server waits for a response before it tries the IP address of the other DNS server, enter a new value in the Number of seconds before forward queries times out field.

  10. Click OK.

  11. Enable the Use roots hints if no forwarders are available option. This option ensures that DNS servers in a root hints file resolve the name locally.

  12. In the properties dialog, click OK.

Command line interface

To configure DNS forwarding on Windows using the command line interface:

  1. Open a command prompt. Run the command prompt as an administrator.

  2. Type this command and press Enter:

    dnscmd <ServerName> /ResetForwarders <PrimaryIPaddress ...> [/TimeOut <Time>] /noslave

    • <ServerName> is the hostname or IP address of the DNS server. To specify the DNS on your local computer, you can type (.)

    • <PrimaryIPaddress > is one or more IP addresses of the DNS servers where you are forwarding queries. In this case, enter the ​SIA​ server IP addresses. Separate each IP address with a space.

    • <Time> is the value that you want to configure for the time out setting in seconds. The default time out value is five seconds.

    For more information, see Microsoft documentation.

    📘

    The /noslave parameter indicates that the server will use the root hints file to resolve requests locally if it cannot reach ​SIA​.

Configure DNS forwarding on BIND

Before you begin

Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

To configure the BIND DNS server to forward DNS queries to ​SIA​:

  1. Open a command prompt or terminal.

  2. If you are using a Secure Shell (SSH), enter ssh username@server.

    where:

    • username is the username to access the server remotely.

    • server is the hostname or IP address of the server.

  3. Change the directory to /etc/bind.

  4. Open the named.conf.options file to edit it.

  5. In the forwarders area, enter the IP addresses of the ​SIA​ DNS servers.

    Make sure that you enter the IP addresses in the { } symbols.

    📘

    If this BIND server is also a secondary authoritative server for internal zones and you do not want to forward these queries to ​SIA​, you can configure those zones with a blank forwarders list by adding forwarders {} to the internal zone settings in the configuration file. This ensures that recursion for subdomains occurs in the internal zone only.

  6. Save and close the file.

Next steps

Restart the BIND daemon. In the terminal, enter this command:

sudo service bind9 restart

Configure DNS forwarding on Blue Coat ProxySG

Before you begin

Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

To configure Blue Coat ProxySG to forward requests to ​SIA​:

  1. In the ProxySG Management Console, click the Configuration tab.

  2. In the navigation menu, click Network > DNS.

  3. In the DNS fields, enter the primary and the secondary IP addresses of the ​SIA​ recursive servers.

  4. Click Apply.

Next steps

Complete these steps to perform a DNS resolution test:

  1. Establish an SSH connection to the ProxySG appliance.

  2. Enter this command and press Enter:

    SG>test dns <domain>

    where <domain> is a domain you want to resolve for this test.

Configure a DNS proxy on a Palo Alto Networks firewall

Before you begin

Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

To configure a DNS proxy on a Palo Alto Networks firewall:

  1. In the Palo Alto Networks firewall, go to Network > DNS Proxy.

  2. Click Add.

  3. Select the interface or interfaces where the DNS proxy is enabled.

  4. In the Inheritance Source list, select none.

  5. In the Primary field, enter the primary IP address of the ​SIA​ recursive server.

  6. In the Secondary field, enter the secondary IP address of the ​SIA​ recursive server.

  7. To configure static DNS entries that are cached and resolved locally, in the Static Entries tab, click Add and:

    1. In the Name column, enter a name to identify the entry

    2. In the FQDN column, enter the Fully Qualified Domain Name that you want the firewall to resolve locally

    3. In the Address column, enter the associated IP address or addresses

  8. To configure DNS caching, in the Advanced tab, select Cache. By default, the DNS proxy populates values for the cache size and timeout.

  9. Click OK.

Configure DNS recursion on Citrix NetScaler

Before you begin

Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

Complete one of these procedures to configure a recursive DNS server on Citrix NetScaler. You can configure DNS recursion on the NetScaler graphical or command line interface.

📘

In NetScaler, DNS recursion applies to a local DNS server configuration only. This functionality is not available in an Authoritative Domain Name Server (ADNS) configuration.

Graphical user interface

To configure DNS recursion on Citrix NetScaler using the graphical user interface:

  1. In the navigation menu, click Traffic Management > DNS.

  2. Click Change DNS Settings.

  3. In the Change DNS Settings dialog:

    1. Select Enable recursion.

    2. To enable caching, select Records caching.

    3. Click OK.

  4. In the expanded navigation menu for DNS, select Name Servers.

  5. Click Add.

  6. In the Create Name Server dialog:

    1. Make sure that IP address is selected.

    2. In the IP Address field, enter the IP address of the primary ​SIA​ recursive server.

    3. Select Local.

    4. Click Create.

  7. To add the secondary ​SIA​ recursive server, repeat steps 5 and 6.

  8. Repeat steps 5 and 6 to add a recursive DNS server that will resolve requests if NetScaler cannot reach ​SIA​.

Command line interface

To configure DNS recursion on Citrix NetScaler using the command line interface:

  1. Establish an SSH connection to the NetScaler appliance.

  2. To configure an ​SIA​ DNS server as a DNS nameserver, enter this command and press Enter:

    add dns nameserver <IP address> -local

    where <IP address> is the IP address of the ​SIA​ recursive DNS server.

  3. To enable DNS recursion, enter this command and press Enter:

    set dns parameter -recursion ENABLED -cacheRecords YES

  4. Repeat step 2 to add a recursive DNS server that will resolve requests if NetScaler cannot reach ​SIA​.

Configure DNS forwarders on Infoblox

Before you begin

Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

To configure DNS forwarders on Infoblox:

  1. From the main navigation menu, click Data Management and then select the DNS tab.

  2. Depending on the Infoblox view:

    • In a Grid view, expand the Toolbar on the right side of the application and select Grid DNS Properties.

    • In a Members view, click the Members tab. Select the member and then click the edit icon.

    • In a DNS view, click the Zones tab. Select the appropriate DNS view and click the edit icon.

  3. Click Forwarders and in the panel that appears click the add icon.

  4. In the provided field, enter the IP address of the primary ​SIA​ recursive DNS server.

  5. Click Save & Close.

Next steps

If prompted to restart services, click Restart.

Configure split-DNS forwarding on Cisco routers

Before you begin

Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

To separate the DNS resolution of internal domains from external domains, configure split-DNS forwarding with Cisco routers. This lets you use the local DNS server for internal domain resolution for internal applications or resources while directing external domain requests to ​SIA​.

IMAGE_STUBIMAGE_STUB

To configure split-DNS forwarding on Cisco routers:

  1. Log in the Cisco router:

    1. Open a command prompt or terminal window.

    2. Enter this command:

      telnet <IP address>

      where <IP address> is the IP address of router.

    3. Enter your username and press Enter.

    4. When prompted for your password, enter your password.

  2. Enter this command to access global configuration settings:

    configure terminal

  3. Configure the DNS server configuration on the router to send requests to ​SIA​. Enter this command:

    ip name-server <<<PRODUCT_NICKNAME>>_primaryIP> <<<PRODUCT_NICKNAME>>_secondaryIP>

    where:

    • <​SIA​_primaryIP> is the IP address of the primary ​SIA​ recursive DNS server.

    • <​SIA​_secondaryIP> is the IP address of the secondary ​SIA​ recursive DNS server.

  4. Configure DNS forwarding:

    1. Enter this command to define the default DNS view:

      ip dns view default

    2. Enter this command to define DNS forwarding for incoming DNS requests:

      dns forwarder <<<PRODUCT_NICKNAME>>_primaryIP> <<<PRODUCT_NICKNAME>>_secondaryIP>

      where:

      • <​SIA​_primaryIP> is the IP address of the primary ​SIA​ recursive DNS server.

      • <​SIA​_secondaryIP> is the IP address of the secondary ​SIA​ recursive DNS server.

    3. Enter this command to define an internal DNS view:

      ip dns view internal_dns

    4. Enter this command to forward internal requests to your organization's internal DNS server:

      dns forwarder <Internal_DNS_IP1> <Internal_DNS_IP2>

      where:

      • <Internal_DNS_IP1> is the IP address of your internal DNS server.

      • <Internal_DNS_IP2> is the IP address of your secondary internal DNS server.

  5. Enter this command to configure a list of internal domains that you want the internal DNS server to resolve.

    ip dns name-list <number> permit <domain>
    where:

    • <number> is a number ranging from 1 to 500 that identifies the list.

    • <domain> is a domain. Regular expressions and regular expression pattern-matching characters are supported.

  6. Execute these commands to configure DNS views or to specify the parameters that define how DNS queries are handled. In this step, you'll also configure a list of DNS views.

    1. Enter this command to define conditions for a view list.

      ip dns view-list conditional

    2. Enter this command:

      view internal_dns 10

    3. Enter this command:

      restrict name-group 1

    4. Enter this command:

      view default 99

  7. Enter these commands to enable the view list on the router and the DNS service.

    ip dns server view-group conditional

    ip dns server

Configure DNS forwarding on Unbound

Before you begin

  • Note the IP addresses of the ​SIA​ recursive DNS servers. For more information, see View DNS server information.

  • Confirm that you have a root hints file configured . The root hints file (root.hints) contains DNS servers that your enterprise DNS server can contact if it's unable to reach ​SIA​.

To configure DNS forwarding on an Unbound DNS server:

  1. Log in to the Unbound server.

  2. From a terminal window, use a Linux text editor such as vi or Vim to open the unbound.conf file.

    📘

    The unbound.conf is usually copied to /usr/local/etc/unbound/unbound.conf but it also can be located in /etc/unbound/unbound.conf or /etc/unbound.conf.

  3. Locate the forward-zonearea of the file.

  4. Under forward-zone, enter this information:

    forward-zone: name: "." forward-addr: <<<PRODUCT_NICKNAME>>_primary_IP> forward-addr: <<<PRODUCT_NICKNAME>>_secondary_IP>

    where:

    • <​SIA​_primary_IP> is the IP address of the primary ​SIA​ recursive server.

    • <​SIA​_secondary_IP> is the IP address of the secondary ​SIA​ recursive server.

  5. In the configuration file, enter this information to direct Unbound to the root hints file when Unbound is unable to reach ​SIA​.

    root-hints: root.hints

  6. Save these changes.