Best practices for setting up DNS Forwarder

Before you deploy Security Connector as a DNS forwarder, review these best practices:
  • When setting up Security Connector, configure the corporate resolver as the DNS name server. For more information, see Configure DNS name servers. You can also configure the corporate resolver as the static MAC address in the VM.

    This also allows you to deploy DNS Forwarder in front of enterprise DNS resolvers and ensures that DNS resolvers forward requests to ETP DNS.

  • When you configure the data interface, make sure that you use a static IP address. The data interface is the IP address of DNS Forwarder that clients connect to as a DNS server.
  • If your corporate resolver is configured with a rate limit from a single source, configure it to allow all queries from DNS Forwarder.
  • Deploy at least two DNS Forwarders to ensure one is the primary and the other is the secondary forwarder. You can deploy additional forwarders to support a large number of users.
  • Configure enterprise computers or clients to forward requests to DNS Forwarder. This is the IP address of the data interface. Make sure that you provide the IP addresses of the primary and secondary DNS forwarders, as well as the IP address of the corporate resolver.
  • Make sure that enterprise or corporate resolvers continue to forward requests to ETP DNS. This configuration is completed as part of ETP setup and continues to apply for the DNS forwarder.
  • If you need to upgrade Security Connector, make sure that you upgrade the secondary forwarder first. This allows you to confirm that the upgraded forwarder works as expected. You should also upgrade one connector at a time. This ensures that a DNS forwarder is available to handle requests while the upgrade is completed.
  • Configure the Dynamic Host Configuration Protocol (DHCP) server in your enterprise to return a reachable DNS resolver in case one is not available. For example, if the primary forwarder is not reachable, the DHCP server should return the secondary forwarder as a resolver.
  • Make sure the DHCP server returns addresses in IPv4 format. DNS Forwarder does not support IPv6.
  • Configure your firewall to allow outbound TCP port 443 for hostname * and * with dot as the Application-Layer Protector Navigation (ALPN). This configuration is required for DNS over TLS connections.
  • Make sure that you don’t configure a loop with your resolvers where the primary DNS Forwarder directs requests to the secondary DNS forwarder and vice versa. Similarly, do not configure the corporate resolver to direct requests to the DNS forwarders. This incorrect configuration is currently not detected by Security Connector.