Best practices for setting up DNS Forwarder

Before you deploy Security Connector as a DNS forwarder, review these best practices:
  • When setting up Security Connector, configure the corporate resolver as the DNS name server. For more information, see Configure DNS name servers. You can also configure the corporate resolver as the static MAC address in the VM.

    This also allows you to deploy DNS Forwarder in front of enterprise DNS resolvers and ensures that DNS resolvers forward requests to ETP DNS.

  • When you configure the data interface, make sure that you use a static IP address. The data interface is the IP address of DNS Forwarder that clients connect to as a DNS server.
  • If your corporate resolver is configured with a rate limit from a single source, configure it to allow all queries from DNS Forwarder.
  • Deploy at least two DNS Forwarders to ensure one is the primary and the other is the secondary forwarder. You can deploy additional forwarders to support a large number of users.
  • Configure enterprise computers or clients to forward requests to DNS Forwarder. This is the IP address of the data interface. Make sure that you provide the IP addresses of the primary and secondary DNS forwarders, as well as the IP address of the corporate resolver.
  • Make sure that enterprise or corporate resolvers continue to forward requests to ETP DNS. This configuration is completed as part of ETP setup and continues to apply for the DNS forwarder.
  • If you would like an authoritative DNS server to handle local requests in case DNS Forwarder cannot reach ETP, configure a local DNS server in your DNS Forwarder configuration. This allows the corporate DNS resolver that you configured as a Security Connector DNS Server to act as a fallback recursive resolver that handles Internet requests when ETP DNS is not reachable. If a local DNS server is configured for DNS forwarder, you can then configure the Security Connector DNS server to use the ETP DNS Server IP addresses.
  • If you need to upgrade Security Connector, make sure that you upgrade the secondary forwarder first. This allows you to confirm that the upgraded forwarder works as expected. You should also upgrade one connector at a time. This ensures that a DNS forwarder is available to handle requests while the upgrade is completed.
  • Configure the Dynamic Host Configuration Protocol (DHCP) server in your enterprise to return a reachable DNS resolver in case one is not available. For example, if the primary forwarder is not reachable, the DHCP server should return the secondary forwarder as a resolver.
  • Make sure the DHCP server returns addresses in IPv4 format. DNS Forwarder does not support IPv6.
  • Depending on the port that’s configured for DoT, configure your firewall to allow outbound TCP port 443 or 853 for hostname * with dot as the Application-Layer Protector Navigation (ALPN). This configuration is required for DNS-over-TLS connections.
    Note: By default, DNS Forwarder uses TCP port 443. However, you can modify the DoT port in Security Connector to TCP port 853. If you modify the DoT port, make sure you allow port 853 in your firewall.
  • Make sure you don’t configure a loop with your resolvers where the primary DNS Forwarder directs requests to the secondary DNS forwarder and vice versa. Similarly, do not configure the corporate resolver to direct requests to the DNS forwarders. If a loop is detected, the loop is reported in the DNS Forwarder health status check report that you can run in Security Connector. In this status check, the IP address of the server where this loop occurs is shown. The overall health of DNS Forwarder is also reported on the main Security Connector screens.