Cato Networks Knowledge Base

Handling DNS Flows in the Cato Cloud

  • Updated

Overview of Global DNS Servers and the Cato Cloud

Each PoP within the Cato Cloud is configured with a list of well-known global DNS servers. In certain PoP locations, different global DNS servers may be required. For operations related reasons, Cato occasionally updates the list of global DNS servers list to ensure relevancy for traffic flows.

Handling DNS Queries

This section describes the workflow for how a PoP handles DNS queries. When a PoP intercepts a DNS query from a Socket DTLS tunnel, IPsec (DTLS, or IPSec ) or VPN Client tunnel, the PoP checks the destination IP address of the query. When the query destination IP address matches 10.254.254.1 (or the customized reserved service range x.y.z.3 IP address), then the PoP checks if the DNS Forwarding (Global Settings > DNS Forwarding) is enabled for the account. Then the PoP forwards the query to the configured DNS server(s).

For accounts that don't use DNS Forwarding, the PoP tries to resolve the query using its own DNS cache. When the PoP can resolve the query, it generates a DNS response message back to the source. If there is no DNS cache entry for the query, then the PoP forwards the query to one of its global DNS servers, and performs the following actions:

  1. The PoP modifies the query destination IP address from 10.254.254.1 to the global DNS server IP address. The UDP port isn't changed.
  2. The PoP performs SNAT (Source Network Address Translation) on the source IP address of the query to its own public IP address (Cato’s public range), thus hiding the source organization.
  3. When the PoP receives the DNS response from the global DNS server, it modifies the source and the destination IP addresses to the original values, and forwards the response back to the source. The PoP caches the A or CNAME type responses that it receives from the global DNS servers and their TTL is enforced.

If the destination IP address for the DNS query does not match the 10.254.254.1 IP address(or customized reserved service range x.y.z.3 ), then the PoP sends this query to its destination IP address as regular WAN or Internet traffic. The query Destination IP isn't changed. For public DNS queries, the PoP uses NAT to translate the source IP address to one of Cato’s public range IP addresses. In this case, the PoP does not perform DNS forwarding or DNS response caching.

Note: Cato Networks doesn't support the following DNS types:

  • DNS over TCP
  • DNS over TLS
  • DNSSec

DNS Default and Customized IP Ranges

These are the default and customized IP ranges for the DNS servers in the Cato Cloud:

Working with Cato's Default IP Ranges:

  • GW IP address: 10.254.254.1
  • DNS server IP address: 10.254.254.1
  • User Awareness IP address: 10.254.254.12

Working with Customized IP Ranges:

  • GW IP address: X.Y.Z.1
  • DNS IP address: X.Y.Z.3
  • User Awareness IP address: X.Y.Z.9

DNS Flows Examples

This section shows several DNS flow examples. Each example explains how Cato's DNS service works in a different configuration.

Using Cato as a DNS Server

The following diagram shows an example of using Cato's DNS service and resolving a public domain (abc.com). The Cato PoP intercepts the DNS query and checks for the destination IP address. The PoP performs DNS inspection, checks for DNS forwarding rules and for local DNS records in the cache. It then forwards the DNS query to a trusted public DNS server (10.254.254.1) and performs SNAT. When the trusted DNS server sends back the response, the PoP translates back the source and destination IP addresses and forwards the response to the originating host. The PoP also stores the DNS response in the cache.

mceclip0.png

Using Untrusted DNS Server

The following diagram shows an example of using an untrusted DNS server (IP address: 208.67.222.222 - OpenDNS). The PoP forwards the DNS query "as-is" to the destination (abc.com) over the internet. The PoP performs NAT on the source IP address (with the PoP public IP address). The PoP doesn't perform DNS inspection or DNS forwarding rules and DNS caching isn't applied.

untrusted_DNS_new.png

Using DNS Forwarding Rules

The following diagram shows an example of a DNS query to Cato's DNS service (10.254.254.1) when DNS forwarding rules are applied (*.local.org). The PoP inspect the DNS query, checks for forwarding rules and redirects the DNS query to the remote DNS server (192.168.5.5). The PoP doesn't cache DNS responses from a forwarding DNS server.

mceclip2.png

Using Untrusted Private DNS Server

The following diagram shows an example of using an untrusted private DNS server (192.168.5.5). The PoP forwards the DNS query to the destination "as-is" over the WAN. the PoP doesn't perform DNS inspection and DNS forwarding rules aren't applied.

mceclip3.png 

Was this article helpful?

2 out of 4 found this helpful

Comments

0 comments

Please sign in to leave a comment.