DNS on the USG9000 series


A Domain Name System (DNS) is a host naming mechanism in character string format of TCP/IP to establish the mapping between domain names and IP addresses. It is a mechanism of mapping easy-to-remember and meaningful domain names to IP addresses recognizable for network devices.

Other related questions:
NAT on the USG9000 series
NAT is a type of address translation technology that converts the address in an IPv4 packet header into another address. Generally, the NAT technology is used to convert private addresses in IPv4 packet headers into public addresses so that users on the private network can access the Internet concurrently by using a few public addresses. The NAT technology is usually used to address the issue of public IPv4 address shortage caused by the constant increase in the Internet scale.

Application scenarios of the USG9000 DNS transparent proxy
The DNS transparent proxy function of the firewall can change the destination addresses of certain DNS request packets to the DNS server addresses of other ISPs (such as the DNS server address of ISP2). DNS requests are forwarded to different ISPs, and therefore the web server addresses obtained through resolution belong to different ISPs, and Internet access traffic is forwarded through different ISP links. This helps prevent the issue that a link is congested, whereas other links are idle and ensures that all link resources are fully used.

DNS proxy working mechanism on the USG9000
The working process of DNS proxy is as follows: 1.The DNS client sends a request packet to the DNS proxy. The DNS proxy IP address is the destination address of the request packet. 2.After receiving the request packet, the DNS proxy searches for DNS entries saved in the local domain name resolution tables. ?If mapping information exists, the DNS proxy sends a reply packet carrying the resolution result to the DNS client. ?If no mapping information exists, the DNS proxy sends the request packet to the DNS server for resolution. 3.After receiving the reply packet from the DNS server, the DNS proxy records the resolution result and forwards the reply packet to the DNS client.

Mechanism of transparent DNS proxy on the USG9000
The process of DNS transparent proxy is described as follows: 1.An administrator determines which DNS requests require DNS transparent proxy based on a DNS transparent proxy policy. As the policy is matched based only on the source and destination addresses of the DNS requests, DNS transparent proxy works no matter what DNS server address is on the client (an extreme situation is that no DNS server address is set), implementing DNS server redirection and error correction functions. If the FW has multiple DNS transparent proxy policies, DNS requests are matched in the policy configuration order. As long as one policy is matched, the action specified in this policy is taken, and the policy matching activity finishes. Therefore, you are advised to first configure policies with narrow matching scopes. 2.When a DNS request matches a DNS transparent proxy policy, if the DNS request requires DNS transparent proxy, the FW first checks whether the domain name is an exception. If so, the FW does not perform DNS transparent proxy. If not, the FW marks DNS transparent proxy on the DNS request for the subsequent process. For an exception, if another DNS server is required to parse this domain name, the FW changes the destination address of the DNS request to the desired DNS server address. 3.The FW searches for a route for the DNS request (the route can be a policy-based route, static route, or dynamic route) to determine the outgoing interface. If intelligent uplink selection (Global Route Selection Policy or PBR-based Intelligent Uplink Selection) is configured on the FW and the DNS request matches the corresponding equal-cost route or policy-based route, the FW forwards the DNS request based on the intelligent uplink selection result. Note that the intelligent uplink selection result is dynamic and determined by the uplink selection mode and real-time link status. The result may vary even if a user accesses the same domain name twice. 4.A maximum of two DNS servers can be bound to each outgoing interface on the FW, with one primary DNS server and the other secondary DNS server. Both DNS servers belong to the ISP network directly connected to the outgoing interface. After the FW determines the outgoing interface of the DNS request, the DNS transparent proxy function preferentially replaces the destination address of the DNS request with the primary DNS server address. The secondary DNS server address is used only when the primary DNS server is Down. The FW performs DNS transparent proxy only when a DNS server is bound to the outgoing interface and the DNS request has a DNS transparent proxy mark.

Application scenarios of smart DNS on the USG9000
If an intranet has a DNS server deployed, you can enable smart DNS on the FW to reply to DNS requests of users from different ISP networks so that the users can obtain the most appropriate addresses (address on the same ISP network as the user). When a user initiates access traffic (data traffic), the most appropriate address is used as the destination address, ensuring that the traffic from the user is forwarded over the ISP network of the user to the intranet Web server that provides services only for this ISP network. In this way, the user's traffic does not have to make a detour on other ISP networks to reach the Web server, ensuring the shortest Web access delay and best service experience.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top