Jump to content


Photo

DNS forwarding through NG F300, and NG F100

DNS

  • Please log in to reply
6 replies to this topic

#1 Grant Christiansen

Grant Christiansen
  • Members
  • 38 posts

Posted 03 July 2012 - 01:02 PM

I would like to use my Barracuda firewalls (NG F300 at main, F100 at remote sites) for DNS forwarding. currently none of my firewalls are configured to handle DNS forwarding, and client machines on each LAN is configured with an external DNS server. I would at some point like to point each client DNS to the LAN side of the Barracuda.

Can someone please tell me how to turn DNS forwarding on? I currently use OpenDNS settings and would simply like to configure internal clients to the firewall, then firewall forward to OpenDNS ips, but dont know how to set this up.

thanks,

#2 Ed Reiss

Ed Reiss
  • Members
  • 23 posts

Posted 03 July 2012 - 08:09 PM

Grant,

Hello again. All you have to do is set up a Redirect/DstNAT rule which forwards UDP 53 to the desired DNS IP address. You can set up your LAN IP address as the DNS server on the clients and forward all traffic to that address on UDP 53 to your external DNS server. In fact I do this on my Barracuda. You can also set up the DNS caching service on each firewall and forward traffic to the desired DNS server.

#3 Grant Christiansen

Grant Christiansen
  • Members
  • 38 posts

Posted 05 July 2012 - 07:49 AM

Ed,

Thanks Again!!

I appreciate all the help. Thanks!

#4 Zach Forsyth

Zach Forsyth
  • Barracuda Team Members
  • 41 posts

Posted 15 July 2012 - 10:21 AM

I would look into a transparent DNS interception rule which will capture DNS traffic on the network and app redirect it to the FW itself.
Then you don't need to make any changes on the workstation within the network

#5 Grant Christiansen

Grant Christiansen
  • Members
  • 38 posts

Posted 16 July 2012 - 08:39 AM

Zach,

Thanks for the post. So all my clients are changed already (pointing to Open DNS public ip's for basic blocking purposes). With your post above, would i then point my clients to the internal ip of the firewall?

Is there a pro/con of doing one vs the other?

Thanks for your help!

#6 Zach Forsyth

Zach Forsyth
  • Barracuda Team Members
  • 41 posts

Posted 16 July 2012 - 10:11 AM

The advantage to doing it on the FW is that it doesn't matter if any of the systems in your network are reconfigured they will all use the NGFW for DNS and get consistent results.

The other advantage is that we can do DNS blacklisting on the NGFW, so if you want to block say www.facebook.com we can do that very easily.
admin settings > advanced on 5.2.3
virtual servers > firewall > forwarding settings on 5.2.4


You can test it easily. Just go into admin setting and enable advanced mode, and then turn on the DNS caching.
Then there should already be an DNS interecept rule that you can use. Change it to just your IP as the source so you can test and not impact everyone else.
It should redirect to 127.0.0.1

If you dont have the rule just create a new App redirect rule as follows:

Type: App redirect
Source: Your machine (or the whole Trusted LAN)
Service: DNS
Destination: World (0.0.0.0/0)
Redirection: 127.0.0.1

#7 Mark Harris

Mark Harris
  • Barracuda Team Members
  • 11 posts

Posted 20 August 2012 - 10:05 AM

Also keep in mind the external DNS should be configured in System settings to make this all work. You can put the OpenDNS servers in your DNS config under system settings to provide the same level of DNS you are getting now and centralize it through the NG. And as Zach notes, you don't need to change clients or worry about PC's that change their DNS settings.