Defining DNS Forwarding Rules

This article discusses how to define DNS forwarding rules for your account.

Overview

You can configure DNS Forwarding rules to forward any DNS queries with the specified domain names to resolve with a private DNS server (instead of Cato's DNS server). For example, sometimes mobile users need to connect directly to the Cato Cloud instead of going through one of your internal servers or sites.

If multiple DNS Forwarding rules for the same domain, Cato prioritizes the most specific rule. In the example below, the domain s1.example.local is prioritized over example.local.

dns-forward.png
If multiple IP addresses for the DNS forwarding servers are configured, the DNS request is sent to all the DNS servers defined in the rule. The first response received is used to resolve the query.

Note

Notes:

  • You can use DNS forwarding either with Cato's default DNS server, or well-known DNS servers such as 8.8.8.8, 1.1.1.1, and 9.9.9.9. The list of well-known DNS servers can vary between PoPs, for example China and New York.

  • DNS Forwarding can be applied for both external and internal IP addresses and domains.

  • DNS Forwarding can process requests over either UDP and TCP.

  • The PoP doesn't store DNS forwarding requests in the cache.

  • DoH (DNS over HTTPS) isn't supported, DNS Forwarding can't process DoH packets.

To add a DNS forwarding rule:

  1. From the navigation menu, click Network > DNS Settings. The Settings & Suffix tab is displayed.

  2. Click the DNS Forwarding tab.

  3. Click New to add a DNS Forwarding rule. The Add panel opens.

  4. Enter the Domain for the traffic that matches this DNS Forwarding rule.

    You can enter one domain per rule.

  5. In the IPs section, enter the IP address for the DNS server for this rule. Each rule supports up to six DNS servers.

  6. Click Apply. The rule is added to the DNS Forwarding rulebase.

  7. Click Save.

To delete a DNS forwarding rule:

Note

You cannot undo a rule deletion.

  1. From the navigation menu, click Network > DNS Settings. The Settings & Suffix tab is displayed.

  2. Click the DNS Forwarding tab.

  3. Click Delete.pngnext to the rule you are deleting. The rule is removed.

  4. Click Save. The rule is deleted.

Was this article helpful?

1 out of 1 found this helpful

5 comments

  • Comment author
    Matrix Networks

    I have recently had a customer that heavily relied on reverse DNS or DNS PTR records.  I have added the 168.192.in-addr.arpa as a zone to be forwarded to their internal server and this resolved the issue.

    However, I do have different client that uses 10.x.x.x addresses.  On their server they have many x.x.10.in-addr.arpa zones.  Although they have many zones, will one 10.in-addr.arpa forwarder record cover them all?

    Else we would really like an import function here.

    Thanks,

    Brian

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Brian!

    I'm afraid that I don't have a quick answer for you.  However, I will ask my colleagues if they know how to implement this.  If not, I will engage the Product Management Team and ask them to have a look at it.  

    By the way, this is also the sort of question that you can ask on our Community platform.  No need to do this for this question, but you might like to try it out in the future!

    Kind Regards,

    Dermot Doran - Cato Networks Community Manager.

  • Comment author
    Matrix Networks

    Sounds great, I was encouraged to post more.  I guess the comment for this document and topic, would be clarifying the best practice of what to do with reverse zones, and do they belong in the forwarder?

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Brian!

    I have discussed this with colleagues and it should work (i.e. somebody has used DNS forwarding for this purpose in the past). 

    If you have any problems, please let us know by opening up a discussion on the Cato Online Community

    Kind Regards,

    Dermot 

  • Comment author
    vtecson

    Hi Brian,

    Yes; even though the * wildcard does not seem to work, the 10.in-addr.arpa covers all the reverse zone lookups for the entire 10.x.x.x.

Add your comment