Handling DNS Flows in the Cato Cloud

Each PoP within the Cato Cloud is configured with a list of well-known global DNS servers. In certain PoP locations, different global DNS servers may be required. For operations related reasons, Cato occasionally updates the list of global DNS servers list to ensure relevancy for traffic flows.

This section describes the workflow for how a PoP handles DNS queries. When a PoP intercepts a DNS query from a Socket DTLS tunnel, IPsec (DTLS, or IPSec ) or VPN Client tunnel, the PoP checks the destination IP address of the query. When the query destination IP address matches 10.254.254.1 (or the customized reserved service range x.y.z.3 IP address), then the PoP checks if the DNS Forwarding (Network > DNS Settings > DNS Forwarding) is enabled for the account. Then the PoP forwards the query to the configured DNS server(s).

For accounts that don't use DNS Forwarding, the PoP tries to resolve the query using its own DNS cache. When the PoP can resolve the query, it generates a DNS response message back to the source. If there is no DNS cache entry for the query, then the PoP forwards the query to one of its global DNS servers, and performs the following actions:

If the destination IP address for the DNS query does not match the 10.254.254.1 IP address(or customized reserved service range x.y.z.3 ), then the PoP sends this query to its destination IP address as regular WAN or Internet traffic. The query Destination IP isn't changed. For public DNS queries, the PoP uses NAT to translate the source IP address to one of Cato’s public range IP addresses. In this case, the PoP does not perform DNS forwarding or DNS response caching.

These are the default and customized IP ranges for the DNS servers in the Cato Cloud:

Working with Cato's Default IP Ranges:

Working with Customized IP Ranges:

This section shows several DNS flow examples. Each example explains how Cato's DNS service works in a different configuration.

Using Cato as a DNS Server

The following diagram shows an example of using Cato's DNS service and resolving a public domain (abc.com). The Cato PoP intercepts the DNS query and checks for the destination IP address. The PoP performs DNS inspection, checks for DNS forwarding rules and for local DNS records in the cache. It then forwards the DNS query to a trusted public DNS server (10.254.254.1) and performs SNAT. When the trusted DNS server sends back the response, the PoP translates back the source and destination IP addresses and forwards the response to the originating host. The PoP also stores the DNS response in the cache.

Using Untrusted DNS Server

The following diagram shows an example of using an untrusted DNS server (IP address: 208.67.222.222 - OpenDNS). The PoP forwards the DNS query "as-is" to the destination (abc.com) over the internet. The PoP performs NAT on the source IP address (with the PoP public IP address). The PoP doesn't perform DNS inspection or DNS forwarding rules and DNS caching isn't applied.

Using DNS Forwarding Rules

The following diagram shows an example of a DNS query to Cato's DNS service (10.254.254.1) when DNS forwarding rules are applied (*.local.org). The PoP inspect the DNS query, checks for forwarding rules and redirects the DNS query to the remote DNS server (192.168.5.5). The PoP doesn't cache DNS responses from a forwarding DNS server.

Using Untrusted Private DNS Server

The following diagram shows an example of using an untrusted private DNS server (192.168.5.5). The PoP forwards the DNS query to the destination "as-is" over the WAN. the PoP doesn't perform DNS inspection and DNS forwarding rules aren't applied.