Whether the access permission from the Local to the Untrust zone shall be enabled when the USG has a DNS proxy configured

34

No.

Other related questions:
Whether a security policy shall be configured between the zone where the heartbeat interface resides and Local zone
If remote is not set when heartbeat interfaces are configured, the heartbeat packets are encapsulated into VRRP packets, and the device that has no security policy can properly process the heartbeat packets. If remote is set when heartbeat interfaces are configured, the heartbeat packets are encapsulated into UDP packets, and a correct security policy needs to be configured for the interzone between the Local zone and the security zone where the heartbeat interfaces reside, which enables the device to properly send and receive the heartbeat packets.

DNS proxy configuration on the USG6000
You can configure the DNS proxy on the firewall as follows: 1. Run the dns proxy enable command to enable the DNS proxy function or run the dns relay enable command to enable the DNS relay function. 2. Run the dns server ip-address command to configure the DNS server accessed by the DNS proxy or DNS relay.

Configuring a DNS server on the USG to resolve the domain name of the web proxy server
After a DNS server is configured in the basic virtual gateway view, users can access web proxy resources based on the domain name. system-view [sysname] v-gateway abc [sysname-abc] basic [sysname-abc-basic] dns-server 10.10.10.1 10.10.10.2 10.10.10

Do S series switches support DNS proxy
S series switches (excluding the S1700) support only the DNS client function. Static and dynamic domain name resolution can be used together. When resolving the domain name, the switch first uses static domain name resolution. The switch queries the local static domain name resolution table. If static domain name resolution fails, the switch uses dynamic domain name resolution. The switch sends a DNS request to the DNS server. Dynamic domain name resolution takes some time and requires the DNS server. You can add some common domain names to the static domain name resolution table to improve the resolution efficiency. Huawei S series switches support static and dynamic domain name resolution. The configuration procedure is as follows: 1. Configure the static domain name resolution. [Huawei] ip host hostB 10.4.1.1 //Configure a static DNS entry. 2. Configure dynamic domain name resolution. [Huawei] dns resolve //Enable dynamic DNS resolution. [Huawei] dns server 10.3.1.2 /Configure the DNS server's IP address. [Huawei] dns domain net //Configure the DNS domain name suffix.

Transparent DNS proxy configuration on the USG6000
The principle for configuring the transparent DNS proxy on the USG6000 is as follows: By configuring the transparent DNS proxy on the NGFW, DNS request packets of intranet users are distributed to DNS servers of ISP1 and ISP2 based on a ratio of 2:1. In this way, network access traffic of the intranet users is also distributed to the DNS servers of ISP1 and ISP2 based on a ratio of 2:1. The smart routing function is required to select an outbound interface. In addition, the ISP address library routing function must be configured. The configuration procedure is as follows: 1. Configure the transparent DNS proxy function. Bind the DNS server address with the outbound interface. Specify the address of the DNS server serving as the transparent DNS proxy, and configure the domain names to be excluded. 2. Configure the ISP address library routing function. If the preset ISP address file is used, skip this step. If a new ISP address file is imported, configure the ISP name and specify the mapping between the ISP name and the ISP address file. 3. Configure the outbound interface. Configure the interface IP address, gateway, bandwidth, bandwidth overload protection threshold, and ISP name corresponding to the interface. 4. Configure the global routing policy. Set the smart routing mode to load balancing, and set outbound interfaces that are directly connected to the NGFW, ISP1 network, and ISP2 network as member interfaces of the smart routing function. For specific configurations, click Method Used to Configure Transparent DNS Proxy on the USG6000.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top