Security Connector as a DNS forwarder

Security Connector can act as an internal DNS resolver that forwards traffic to ETP DNS for resolution. With the DNS forwarder, you identify the machine that’s making the request. It forwards the request to ETP where ETP policy is applied. The DNS forwarder detects this information about the client machine:
  • Internal client IP address
  • Internal hostname

The DNS forwarder is available with Security Connector 2.6.8 or later.

Note: Connections from DNS Forwarder to ETP are protected with DNS over TLS (DoT).

If there are domains that you want to forward to their destination, DNS Forwarder allows you to split this traffic and direct it to the corporate resolver for resolution. To identify this internal traffic, you configure internal domains or IP address ranges in the ETP network configuration. For more information, see Configure internal IP addresses and DNS suffixes.

This graphic shows how DNS Forwarder behaves in the corporate network:

In this graphic:

  1. An administrator deploys a DNS forwarder near each corporate resolver. The administrator also configures corporate machines to forward requests to DNS Forwarder.

    For high availability, make sure you deploy at least two DNS forwarders, where one forwarder acts as the primary and the other is a secondary DNS forwarder. This ensures that a DNS forwarder is available in case of a failure or you upgrade Security Connector software.

  2. Requests to internal domains are directed to the corporate resolver for resolution. The internal domains are identified based on the domain suffix or IP address ranges configured in the ETP Network Configuration.
  3. DNS Forwarder directs requests to ETP DNS.
  4. The internal client IP address and the internal hostname information are reported in ETP. This data is reported in events, as well as in the DNS Activity report.
Note the following:
  • If your enterprise uses ETP Client, it can coexist with DNS Forwarder.
  • For each client connecting to DNS Forwarder, DNS Forwarder can handle 2,000 queries per second (QPS). If the response is longer than 512 bytes, then replies are limited to 25,000 bytes per minute for each client.
In case of a failure or a connectivity issue, the following flow applies:
  1. If DoT is unable to connect to ETP, the user datagram protocol (UDP) is used to connect to ETP.
  2. If UDP cannot connect to ETP, then traffic is forwarded to the corporate resolver you configured in the security connector DNS Server settings.
  3. If you would like a specific authoritative DNS server to handle local DNS traffic, you can configure this server as a local DNS server for DNS Forwarder. This server is used for local DNS traffic only. It allows the DNS server you set as part of your Security Connector setup to become a fallback recursive DNS resolver that handles Internet requests when ETP is not reachable. If a local DNS server is configured for DNS Forwarder, you can set the security connector DNS server to use the ETP DNS server IP addresses or you can configure a preferred resolver to resolve Internet traffic during a connectivity issue. To configure a local DNS server for DNS Forwarder, see Configure local DNS servers.

If DNS Forwarder cannot connect to ETP, it falls back to the corporate resolver whenever possible. If the forwarder cannot fall back to the resolver, the request times out. If there is a situation where DNS Forwarder is down or not reachable by clients, then the request times out.

To make sure that DNS resolution does not fail if a timeout issue occurs with a DNS forwarder, configure more than one DNS server on your client machines. If your organization uses a DHCP server, you can list the primary and secondary DNS forwarder, as well as the corporate resolver as DNS servers.