Configure DNS
The Domain Name System (DNS) servers are used to resolve hostnames to IP addresses. There are two DNS server settings that apply to different types of traffic: data and special management traffic. Data traffic includes any services that use FQDNs for which a DNS lookup is necessary, such as access control rules and remote access VPN. Special management traffic includes traffic originating on the Management interface such as configuration and database updates. This procedure only applies to data DNS servers. For management DNS settings, see the CLI configure network dns servers and configure network dns searchdomains commands.
To determine the correct interface for DNS server communications, the managed device uses a routing lookup, but which routing table is used depends on the interfaces for which you enable DNS. See the interface settings below for more information.
You can configure trusted DNS services for DNS snooping using the Trusted DNS Servers tab. DNS snooping is used to map the application domains to IPs in order to detect the application on the first packet. Apart from configuring the trusted DNS servers, you can include the already configured servers in DNS group, DHCP pool, DHCP relay and DHCP client as trusted DNS servers.
Note | For an application-based PBR, you must configure trusted DNS servers. You must also ensure that the DNS traffic passes through FTD in a clear-text format (encrypted DNS is not supported) so that domains can be resolved to detect applications. |
Before you begin
-
Ensure you have created a DNS server group. For instructions, see Creating DNS Server Group Objects.
-
Ensure that the managed device has appropriate static or dynamic routes to access the DNS servers.
Procedure
Step 1 | Select and create or edit a Threat Defense policy. | ||
Step 2 | Click DNS. | ||
Step 3 | Click the DNS Settings tab. | ||
Step 4 | Check Enable DNS name resolution by device. | ||
Step 5 | Choose the DNS Server Group that you have already created. | ||
Step 6 | (Optional) Enter the Expiry Entry Timer and Poll Timer values in minutes. These options apply to FQDNs that are specified in network objects only. These do not apply to FQDNs used in other features.
| ||
Step 7 | Enable DNS lookups on all interfaces or on specific interfaces. These choices also affect which routing tables are used. Note that enabling DNS lookups on an interface is not the same as specifying the source interface for lookups. The FTD always uses a route lookup to determine the source interface. Management-only interfaces other than the dedicated Management interface cannot be used.
| ||
Step 8 | To configure the trusted DNS servers, click the Trusted DNS Servers tab. | ||
Step 9 | By default, the existing DNS servers that are configured in DHCP pool, DHCP relay, DHCP client, or DNS server group are included as trusted DNS servers. If you want to exclude any of them, uncheck the appropriate check boxes. | ||
Step 10 | To add trusted DNS servers, under Specify DNS Servers, click Edit. | ||
Step 11 | In the Select DNS Servers dialog box, either choose a host object as the trusted DNS server or directly specify the IP address of the trusted DNS server:
| ||
Step 12 | (Optional) To search for a DNS server that was added, using either the host name or the IP address, use the search field under Specify DNS Servers. | ||
Step 13 | Click Save. |
What to do next
To use FQDN objects for access control rules, create an FQDN network object which can then be assigned to an access control rule. For instructions see, Creating Network Objects.