Example DNS Flows Using Cato as your DNS Server

This article provides examples of DNS flows when using Cato as your DNS server.

Sample Diagrams of DNS Flows

This section shows several DNS flow examples. Each one explains how Cato's DNS service works in a different configuration.

Using Cato as a DNS Server

The following diagram shows an example of an account that uses the Cato DNS server (10.254.254.1). The same flow applies to any trusted DNS server.

  1. A host requests to resolve a public domain (abc.com).

  2. The Cato PoP intercepts the DNS query and checks for the destination IP address. The PoP performs DNS inspection, checks for DNS forwarding rules and for local DNS records in the cache.

  3. No matching DNS records are identified in the cache.

  4. The PoP then forwards the DNS query to a trusted public DNS server (10.254.254.1) and performs SNAT.

  5. When the trusted DNS server sends back the response, the PoP translates back the source and destination IP addresses and forwards the response to the originating host.

    The PoP also stores the DNS response in the cache.

mceclip0.png

Using Untrusted DNS Server

The following diagram shows an example of using an untrusted DNS server (IP address: 208.67.222.222 - OpenDNS).

  1. The PoP forwards the DNS query "as-is" to the destination (abc.com) over the internet.

  2. The PoP performs NAT on the source IP address (with the PoP public IP address).

    The PoP doesn't perform DNS inspection or DNS forwarding rules.

mceclip1.png

Using DNS Forwarding Rules

The following diagram shows an example of a DNS query to Cato's DNS service (10.254.254.1) when DNS forwarding rules are applied (*.local.org).

  1. The PoP inspects the DNS query, and checks for forwarding rules.

  2. The PoP redirects the DNS query to the remote DNS server (192.168.5.5).

    The PoP doesn't cache DNS responses from a forwarding DNS server.

mceclip2.png

Using Untrusted Private DNS Server

The following diagram shows an example of using an untrusted private DNS server (192.168.5.5).

  1. The PoP forwards the DNS query to the destination "as-is" over the WAN.

  2. The PoP doesn't perform DNS inspection and DNS forwarding rules aren't applied.

mceclip3.png

Was this article helpful?

3 out of 5 found this helpful

0 comments

Add your comment