Chapter 12: DNS

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

Overview

A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.

A Uniform Resource Locator (URL) differs from an FQDN in that the URL includes the access protocol along with the FQDN. For example the protocol might be specified http//: for world wide web pages. DNS servers can exist both on the public Internet for resolution of public IP addresses as well as private servers for the resolution of private IP addresses.

FQDNs are used in many aspects of a configuration where IP addresses are unknown or where it makes more sense to make use of DNS resolution instead of using static IP addresses. cOS Stream supports the use of FQDNs in defining an address book object and this is described further in Section 5.6, FQDN Address Objects.

Defining External DNS Servers

cOS Stream has a predefined object called DNS. To enable DNS resolution, at least one DNSServer object must be added as a child of this DNS parent object. Up to a maximum of 8 DNS servers can be defined in this way. An example of the CLI commands to do this can be found in Example 12.1, “Configuring DNS Servers”.

Multiple DNS Servers are Recommended

For DNS lookup to function in cOS Stream, at least one DNS server must be defined. However, it is recommended that at least two different DNS servers are defined so that there is a backup should one server be unavailable. Note that it also possible to define a different routing table for each server (the default routing table is main). This is useful in virtual routing scenarios but also where an alternate route to the Internet is available for redundancy purposes.

The DNS ALG

A DNS ALG can be configured in cOS Stream to check the integrity of DNS traffic and impose restrictions on such traffic as well as provide custom DNS translations. This is described in Section 10.4, DNS ALG.

Features Requiring DNS Resolution

Having at least one DNS server configured is vital for the functioning of the following modules:

Automatic time synchronization.
Access to an external certificate authority server for CA signed certificates.

DNS Lookup and IP Rules

In the case of DNS server request being generated by cOS Stream itself, no IP rules need to be defined for the connection to succeed. This is because flows initiated by cOS Stream are considered to be trusted. For example, this would be the case if cOS Stream is accessing a CA server to establish the validity of a certificate and first needs to resolve the certificate's FQDN to an IP address.

The DNS Cache

cOS Stream uses an internal DNS cache to ensure that the same FQDN does not need to be resolved every time it is referenced. The current cache contents can be examined using the following command:

System:/> dns -list

DNS Cache Updating

When a DNS server returns the IP addresses for an FQDN, it also returns a Time-To-Live (TTL) value. This value is stored with the cache entry.

The TTL value returned could be very low or even zero. For this reason, cOS Stream provides a global property called MinTTL in the system's predefined DNS object that has a default value of 1 second. If the TTL returned from a DNS server is less than MinTTL then the TTL is reset to be MinTTL.

A second global property also exists in the system's predefined DNS object called MaxTTL. Any TTL value returned by a DNS server that is greater than this maximum will be set to it.

The object property FQDNValidAfterTTLDefault is only used when caching FQDN address objects and explained further in Section 5.6, FQDN Address Objects.

Example 12.1. Configuring DNS Servers

In this example, two DNS servers are configured for DNS lookup by the firewall. The first DNS server has the IPv4 address 203.0.113.5 and will use the default main routing table for the route lookup of this address. The second server has the IPv4 address 192.0.2.5 and will use a user-defined routing table called alt-rt for the route lookup of the address.

Command-Line Interface

System:/> cc DNS
System:/DNS> add DNSServer IPAddress=203.0.113.5
System:/DNS> add DNSServer IPAddress=192.0.2.5 RoutingTable=alt-rt

To show the configured DNS servers, the show command should be used within the DNS CLI context:

System:/DNS> show
			
DNSServer

  # IP address  Routing table
  - ----------- -------------
+ 1 203.0.113.5 main
+ 1 192.0.2.5   alt-rt

System:/DNS> cc
System:/>

The predefined DNS object has a number of properties which apply to all the child DNSServer objects added to it. These can be displayed with the show DNS command:

System:/> show DNS
			
                 Property  Value
-------------------------  -------
        CacheNegativeTTL:  30
               QueueSize:  1024
              RepeatTime:  5
             RepeatCount:  3
                  MinTTL:  3600
                  MaxTTL:  86400
FQDNValidAfterTTLDefault:  86400
                Comments:  <empty>

If the IPv4 address 203.0.113.5 is defined in the address book with the name dns1_ip, the CLI to add the server would become the following:

System:/> cc DNS
System:/DNS> add DNSServer IPAddress=dns_ip1

If adding three alternate DNS servers with IP addresses dns_ip1, dns_ip2 and dns_ip3, the CLI becomes the following:

System:/> cc DNS
System:/DNS> add DNSServer IPAddress=dns_ip1
System:/DNS> add DNSServer IPAddress=dns_ip2
System:/DNS> add DNSServer IPAddress=dns_ip3
System:/> cc
System:/>

Assuming that at least one public DNS server has been configured and the configuration changes have been committed, DNS lookup can then be tested using the dns command with a suitable FQDN:

System:/> dns www.google.com
			
ip4 info:
  209.85.149.99
  209.85.149.103
  209.85.149.104
  209.85.149.105
  209.85.149.106
  198.41.0.4
TTL: 60

The DNS cache can then be listed to see the addresses that have been added to it:

System:/> dns -list

Name                     Address                       Type TTL
----------------------------------------------------------------
www.google.com           209.85.149.99                 A    49
www.google.com           209.85.149.103                A    49
www.google.com           209.85.149.104                A    49
www.google.com           209.85.149.105                A    49
www.google.com           209.85.149.106                A    49
www.google.com           198.41.0.4                    A    49

Example 12.2. Setting the DNS Cache Minimum TTL and Minimum Lifetime

This example sets the global MinTTL value to 10 seconds and the FQDNValidAfterTTLDefault to 1000 seconds. This means that an entry will stay in the cache for at least its TTL plus 1000 seconds and the TTL cannot be less than 10 seconds.

Command-Line Interface

System:/> set DNS MinTTL=10 FQDNValidAfterTTLDefault=1000