Security Connector as a DNS forwarder

Security Connector can act as an internal DNS resolver that forwards traffic to ETP DNS for resolution. With the DNS forwarder, you identify the machine that’s making the request, and it forwards the request to ETP where ETP policy is applied. The DNS forwarder detects this information about the client machine:
  • Internal client IP address
  • Internal hostname

The DNS forwarder is available with Security Connector 2.6.8 or later. This feature is currently in beta. To participate in the beta, contact your Akamai representative.

Note: Connections from DNS Forwarder to ETP are protected with DNS over TLS (DoT).

If there are domains that you want to forward to their destination, DNS Forwarder allows you to split this traffic and direct it to the corporate resolver for resolution. For example, if your organization uses internal domains to company websites, you can configure these domains or IP address ranges in the ETP network configuration. For more information, see Configure internal IP addresses and DNS suffixes.

This graphic shows how DNS Forwarder behaves in the corporate network:

In this graphic:

  1. An administrator deploys a DNS forwarder near each corporate resolver. The administrator also configures corporate machines to forward requests to DNS Forwarder.

    For high availability, make sure you deploy at least two DNS forwarders, where one forwarder acts as the primary and the other is a secondary DNS forwarder. This ensures that a DNS forwarder is available in case of a failure or you upgrade the Security Connector software.

  2. Requests to internal domains are directed to the corporate resolver for resolution. The internal domains are identified based on the domain suffix or IP address ranges configured in the ETP Network Configuration.
  3. DNS Forwarder directs requests to ETP DNS.
  4. The internal client IP address and the internal hostname information are reported in ETP. This data is reported in threat and AUP events, as well as in the DNS Activity report.
Note the following:
  • If DNS Forwarder cannot connect to ETP, it falls back to the corporate resolver whenever possible. If the forwarder cannot fall back to the resolver, the request times out.
  • If there is a situation where DNS Forwarder is down or not reachable by clients, then the request times out.

To make sure that DNS resolution does not fail if a timeout issue occurs with a DNS forwarder, configure more than one DNS server on your client machines. If your organization uses a DHCP server, you can list the primary and secondary DNS forwarder, as well as the corporate resolver as DNS servers.