Configure DNS

The Domain Name System (DNS) servers are used to resolve hostnames to IP addresses. There are two DNS server settings that apply to different types of traffic: data and special management traffic. Data traffic includes any services that use FQDNs for which a DNS lookup is necessary, such as access control rules and remote access VPN. Special management traffic includes traffic originating on the Management interface such as configuration and database updates. This procedure only applies to data DNS servers. For management DNS settings, see the CLI configure network dns servers and configure network dns searchdomains commands.

To determine the correct interface for DNS server communications, the managed device uses a routing lookup, but which routing table is used depends on the interfaces for which you enable DNS. See the interface settings below for more information.

You can configure trusted DNS services for DNS snooping using the Trusted DNS Servers tab. DNS snooping is used to map the application domains to IPs in order to detect the application on the first packet. Apart from configuring the trusted DNS servers, you can include the already configured servers in DNS group, DHCP pool, DHCP relay and DHCP client as trusted DNS servers.

Note

For an application-based PBR, you must configure trusted DNS servers. You must also ensure that the DNS traffic passes through FTD in a clear-text format (encrypted DNS is not supported) so that domains can be resolved to detect applications.

Before you begin

  • Ensure you have created a DNS server group. For instructions, see Creating DNS Server Group Objects.

  • Ensure that the managed device has appropriate static or dynamic routes to access the DNS servers.

Procedure


Step 1

Select Devices > Platform Settings and create or edit a Threat Defense policy.

Step 2

Click DNS.

Step 3

Click the DNS Settings tab.

Step 4

Check Enable DNS name resolution by device.

Step 5

Choose the DNS Server Group that you have already created.

Step 6

(Optional) Enter the Expiry Entry Timer and Poll Timer values in minutes.

These options apply to FQDNs that are specified in network objects only. These do not apply to FQDNs used in other features.

  • Expire Entry Timer specifies the minimum time-to-live (TTL) for the DNS entry, in minutes. If the expiration timer is longer than the entry's TTL, the TTL is increased to the expire entry time value. If the TTL is longer than the expiration timer, the expire entry time value is ignored: no additional time is added to the TTL in this case. Upon expiration, the entry is removed from the DNS lookup table. Removing an entry requires that the table be recompiled, so frequent removals can increase the processing load on the device. Because some DNS entries can have very short TTL (as short as three seconds), you can use this setting to virtually extend the TTL. The default is 1 minute (that is, the minimum TTL for all resolutions is 1 minute). The range is 1 to 65535 minutes.

    Note that for systems running 7.0 or earlier, the expiration time is actually added to the TTL: it does not specify a minimum value.

  • Poll Timer specifies the time limit after which the device queries the DNS server to resolve the FQDN that was defined in a network object. An FQDN is resolved periodically either when the poll timer has expired, or when the TTL of the resolved IP entry has expired, whichever occurs first.

Step 7

Enable DNS lookups on all interfaces or on specific interfaces. These choices also affect which routing tables are used.

Note that enabling DNS lookups on an interface is not the same as specifying the source interface for lookups. The FTD always uses a route lookup to determine the source interface. Management-only interfaces other than the dedicated Management interface cannot be used.

  • Routing—Enables DNS lookups on all interfaces. The FTD checks the data routing table only.

  • Specific Interfaces but not the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on the specified interfaces. The FTD checks the data routing table only.

  • Specific Interfaces plus the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on the specified interfaces and the Management interface. The FTD checks the data routing table, and if no route is found, falls back to the management-only routing table.

  • Only the Enable DNS Lookup via diagnostic/management interface also option—Enables DNS lookups on Management. The FTD checks only the management-only routing table.

Step 8

To configure the trusted DNS servers, click the Trusted DNS Servers tab.

Step 9

By default, the existing DNS servers that are configured in DHCP pool, DHCP relay, DHCP client, or DNS server group are included as trusted DNS servers. If you want to exclude any of them, uncheck the appropriate check boxes.

Step 10

To add trusted DNS servers, under Specify DNS Servers, click Edit.

Step 11

In the Select DNS Servers dialog box, either choose a host object as the trusted DNS server or directly specify the IP address of the trusted DNS server:

  1. To choose existing host objects, under Available Host Objects, select the required host object and click Add to include it to Selected DNS Servers. For information on adding the host objects, see Creating Network Objects.

  2. To directly provide the IP address(IPv4 or IPv6) of the trusted DNS server, enter the address in the given text field, and click Add to include it to Selected DNS Servers.

  3. Click Save. The added DNS servers are displayed in the Trusted DNS Servers page.

Note

You can configure a maximum of 12 DNS servers per policy.

Step 12

(Optional) To search for a DNS server that was added, using either the host name or the IP address, use the search field under Specify DNS Servers.

Step 13

Click Save.


What to do next

To use FQDN objects for access control rules, create an FQDN network object which can then be assigned to an access control rule. For instructions see, Creating Network Objects.