Related Topics
About the DNS-Proxy
The Domain Name System (DNS) is a network system of servers that translates numeric IP addresses into readable, hierarchical Internet addresses, and vice versa. DNS enables your computer network to understand, for example, that you want to reach the server at 200.253.208.100 when you type a domain name into your browser, such as www.example.com. With the Firebox, you have two methods to control DNS traffic: the DNS packet filter and the DNS-proxy policy. The DNS-proxy is useful only if DNS requests are routed through your Firebox .
When you create a new configuration file, the file automatically includes an Outgoing packet filter policy that allows all TCP and UDP connections from your trusted and optional networks to external. This allows your users to connect to an external DNS server with the standard TCP 53 and UDP 53 ports. Because Outgoing is a packet filter, it is unable to protect against common UDP outgoing trojans, DNS exploits, and other problems that occur when you open all outgoing UDP traffic from your trusted networks. The DNS-proxy has features to protect your network from these threats. If you use external DNS servers for your network, the DNS-Outgoing ruleset offers additional ways to control the services available to your network community.
To add the DNS-proxy to your Firebox configuration, see Add a Proxy Policy to Your Configuration.
Which Proxy Action to Use
When you configure a Proxy policy, you must select a Proxy Action appropriate to the policy. For a policy which allows connections from your internal clients to the internet, use the Outgoing proxy action. For a policy which allows connections to your internal servers from the internet, use the Incoming proxy action.
In Fireware OS v11.9.3 and higher, the new default predefined proxy actions have "Standard" appended to the proxy action name. These settings are updated from previous defaults to reflect the latest Internet network traffic trends.
Configure DNS-Proxy
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.
- Connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). See Set Access Rules for a Policy.
- Use policy-based routing — See Configure Policy-Based Routing.
- You can also configure static NAT or configure server load balancing. See Configure Static NAT and Configure Server Load Balancing.
- To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences. - If you set the Connections are drop-down list to Denied or Denied (send reset), you can block sites that try to use DNS.
For more information, see Block Sites Temporarily with Policy Settings. - To change the idle timeout that is set by the Firebox or authentication server, see Set a Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your Firebox, you can set the action this proxy uses for Application Control.
- Select the Application Control tab.
- From the Application Control Action drop-down list, select an application control action to use for this policy, or create a new action.
- (Optional) Edit the Application Control settings for the selected action.
- Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to a Policy.
To apply a Traffic Management action in a policy:
- Select the Traffic Management tab.
- From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings as described in the topic Define a Traffic Management Action in v11.8.x and Lower. - Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, see About Proxy Actions.
To configure the proxy action:
- Select the Proxy Action tab.
- From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions. - Click Save.
For the DNS-proxy, you can configure these categories of settings for a proxy action:
- DNS-Proxy: General Settings
- DNS-Proxy: OPcodes
- DNS-Proxy: Query Types
- DNS-Proxy: Query Names
- DNS-Proxy: Proxy Alarm
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.
- Select the Scheduling tab.
- From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the topics Create Schedules for Firebox Actions and Set an Operating Schedule. - Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.
For more information on the options for this tab, see:
Policy Tab
To set access rules and other options, select the Policy tab.
- DNS-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). See Set Access Rules for a Policy.
- Use policy-based routing — See Configure Policy-Based Routing.
- You can also configure static NAT or configure server load balancing. See Configure Static NAT and Configure Server Load Balancing.
- Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
- To edit or add a comment to this policy configuration, type the comment in the Comment text box.
- To define the logging settings for the policy, click Logging.
For more information, see Set Logging and Notification Preferences. - If you set the DNS-proxy connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use DNS.
For more information, see Block Sites Temporarily with Policy Settings. - To change the idle timeout that is set by the Firebox or authentication server, see Set a Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
- Set an Operating Schedule
- Add a Traffic Management Action to a Policy
- Set ICMP Error Handling
- Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
- Set Connection Rate Limits
- Enable QoS Marking and Prioritization in a Policy
- Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, see About Proxy Actions.
For the DNS-proxy, you can configure these categories of settings for a proxy action:
- DNS-Proxy: General Settings
- DNS-Proxy: OPcodes
- DNS-Proxy: Query Types
- DNS-Proxy: Query Names
- Proxy and AV Alarms (SNMP traps and notification are disabled by default)