The Domain Name System (DNS) is a network system of servers that translates numeric IP addresses into readable, hierarchical Internet addresses, and vice versa. DNS enables your computer network to understand, for example, that you want to reach the server at 184.108.40.206 when you type a domain name into your browser, such as www.example.com. With Fireware XTM, you have two methods to control DNS traffic: the DNS packet filter and the DNS-proxy policy. The DNS-proxy is useful only if DNS requests are routed through your XTM device.
When you create a new configuration file, the file automatically includes an Outgoing packet filter policy that allows all TCP and UDP connections from your trusted and optional networks to external. This allows your users to connect to an external DNS server with the standard TCP 53 and UDP 53 ports. Because Outgoing is a packet filter, it is unable to protect against common UDP outgoing trojans, DNS exploits, and other problems that occur when you open all outgoing UDP traffic from your trusted networks. The DNS-proxy has features to protect your network from these threats. If you use external DNS servers for your network, the DNS-Outgoing ruleset offers additional ways to control the services available to your network community.
To add the DNS-proxy to your XTM device configuration, see Add a Proxy Policy to Your Configuration.
If you must change the proxy definition, from the
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.
If Application Control is enabled on your device, you can set the action this proxy uses for Application Control.
For more information, see Enable Application Control in a Policy.
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to a Policy.
To apply a Traffic Management action in a policy:
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, see About Proxy Actions.
To configure the proxy action:
For the DNS-proxy, you can configure these categories of settings for a proxy action:
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.
For more information on the options for this tab, see:
About Proxy Policies and ALGs