Application scenarios of the USG6000 DNS transparent proxy

0

The DNS transparent proxy function of the firewall can change the destination addresses of certain DNS request packets to the DNS server addresses of other ISPs (such as the DNS server address of ISP2). DNS requests are forwarded to different ISPs, and therefore the web server addresses obtained through resolution belong to different ISPs, and Internet access traffic is forwarded through different ISP links. This helps prevent the issue that a link is congested, whereas other links are idle and ensures that all link resources are fully used.

Other related questions:
Application scenarios of the USG9000 DNS transparent proxy
The DNS transparent proxy function of the firewall can change the destination addresses of certain DNS request packets to the DNS server addresses of other ISPs (such as the DNS server address of ISP2). DNS requests are forwarded to different ISPs, and therefore the web server addresses obtained through resolution belong to different ISPs, and Internet access traffic is forwarded through different ISP links. This helps prevent the issue that a link is congested, whereas other links are idle and ensures that all link resources are fully used.

Transparent DNS proxy configuration on the USG6000
The principle for configuring the transparent DNS proxy on the USG6000 is as follows: By configuring the transparent DNS proxy on the NGFW, DNS request packets of intranet users are distributed to DNS servers of ISP1 and ISP2 based on a ratio of 2:1. In this way, network access traffic of the intranet users is also distributed to the DNS servers of ISP1 and ISP2 based on a ratio of 2:1. The smart routing function is required to select an outbound interface. In addition, the ISP address library routing function must be configured. The configuration procedure is as follows: 1. Configure the transparent DNS proxy function. Bind the DNS server address with the outbound interface. Specify the address of the DNS server serving as the transparent DNS proxy, and configure the domain names to be excluded. 2. Configure the ISP address library routing function. If the preset ISP address file is used, skip this step. If a new ISP address file is imported, configure the ISP name and specify the mapping between the ISP name and the ISP address file. 3. Configure the outbound interface. Configure the interface IP address, gateway, bandwidth, bandwidth overload protection threshold, and ISP name corresponding to the interface. 4. Configure the global routing policy. Set the smart routing mode to load balancing, and set outbound interfaces that are directly connected to the NGFW, ISP1 network, and ISP2 network as member interfaces of the smart routing function. For specific configurations, click Method Used to Configure Transparent DNS Proxy on the USG6000.

Differences between the smart DNS and the transparent DNS proxy supported by the USG6000
The USG6000 supports the smart DNS and the transparent DNS proxy. The same points are as follows: (1) Both the smart DNS and the transparent DNS proxy provide the DNS service. (2) Both the smart DNS and the transparent DNS proxy provide appropriate access paths for users by means of interfering DNS behaviors. (3) Both the smart DNS and the transparent DNS proxy are implemented by the firewall (non-DNS server). The differences are as follows: (1) The application scenarios of the smart DNS and the transparent DNS proxy are different. The transparent DNS proxy is used to control the path used by users inside the enterprise zone to access external network resources and aims to improve the bidirectional outbound interface bandwidth usage; the smart DNS is used to control the path used by users outside the enterprise zone (Internet users) to access the internal servers and aims to select the shortest path to avoid inter-ISP access. (2) Locations of DNS servers are different. The DNS server of the transparent DNS proxy is deployed at the ISP side, and the DNS server of the smart DNS is deployed at the enterprise side. (3) User locations, accessed resource locations, and access directions are different.

Mechanism of transparent DNS proxy on the USG9000
The process of DNS transparent proxy is described as follows: 1.An administrator determines which DNS requests require DNS transparent proxy based on a DNS transparent proxy policy. As the policy is matched based only on the source and destination addresses of the DNS requests, DNS transparent proxy works no matter what DNS server address is on the client (an extreme situation is that no DNS server address is set), implementing DNS server redirection and error correction functions. If the FW has multiple DNS transparent proxy policies, DNS requests are matched in the policy configuration order. As long as one policy is matched, the action specified in this policy is taken, and the policy matching activity finishes. Therefore, you are advised to first configure policies with narrow matching scopes. 2.When a DNS request matches a DNS transparent proxy policy, if the DNS request requires DNS transparent proxy, the FW first checks whether the domain name is an exception. If so, the FW does not perform DNS transparent proxy. If not, the FW marks DNS transparent proxy on the DNS request for the subsequent process. For an exception, if another DNS server is required to parse this domain name, the FW changes the destination address of the DNS request to the desired DNS server address. 3.The FW searches for a route for the DNS request (the route can be a policy-based route, static route, or dynamic route) to determine the outgoing interface. If intelligent uplink selection (Global Route Selection Policy or PBR-based Intelligent Uplink Selection) is configured on the FW and the DNS request matches the corresponding equal-cost route or policy-based route, the FW forwards the DNS request based on the intelligent uplink selection result. Note that the intelligent uplink selection result is dynamic and determined by the uplink selection mode and real-time link status. The result may vary even if a user accesses the same domain name twice. 4.A maximum of two DNS servers can be bound to each outgoing interface on the FW, with one primary DNS server and the other secondary DNS server. Both DNS servers belong to the ISP network directly connected to the outgoing interface. After the FW determines the outgoing interface of the DNS request, the DNS transparent proxy function preferentially replaces the destination address of the DNS request with the primary DNS server address. The secondary DNS server address is used only when the primary DNS server is Down. The FW performs DNS transparent proxy only when a DNS server is bound to the outgoing interface and the DNS request has a DNS transparent proxy mark.

DNS proxy configuration on the USG6000
You can configure the DNS proxy on the firewall as follows: 1. Run the dns proxy enable command to enable the DNS proxy function or run the dns relay enable command to enable the DNS relay function. 2. Run the dns server ip-address command to configure the DNS server accessed by the DNS proxy or DNS relay.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top