Defining DNS Forwarding Rules

This article discusses how to define DNS forwarding rules for your account.

Overview

You can configure DNS Forwarding rules to forward any DNS queries with the specified domain names to resolve with a private DNS server (instead of Cato's DNS server). For example, sometimes mobile users need to connect directly to the Cato Cloud instead of going through one of your internal servers or sites.

In the case of multiple DNS Forwarding rules for the same domain, Cato prioritizes the most specific rule. In the example below, the domain s1.example.local is prioritized over example.local.

dns-forward.png

If multiple IP addresses for the DNS forwarding servers are configured, the DNS request is sent to all the DNS servers defined in the rule. The first response received is used to resolve the query.

Note

Notes:

  • You can use DNS forwarding either with Cato's default DNS server, or trusted DNS servers such as 8.8.8.8, 1.1.1.1, and 9.9.9.9. For more about trusted DNS servers, see Using Trusted DNS Servers.

  • DNS Forwarding can be applied for both external and internal IP addresses and domains.

  • DNS Forwarding can process requests over either UDP and TCP.

  • The PoP doesn't store DNS forwarding requests in the cache.

  • DoH (DNS over HTTPS) and DoT (DNS over TLS) aren't supported.

To enable DNS on a VLAN:

  1. From the navigation menu, click Network > DNS Settings.

  2. Click the DNS Forwarding tab.

  3. Click New to add a DNS Forwarding rule. The Add panel opens.

  4. Enter the Domain for the traffic that matches this DNS Forwarding rule.

    You can enter one domain per rule.

  5. In the IPs section, enter the IP address for the DNS server for this rule. Each rule supports up to six DNS servers.

  6. Click Apply. The rule is added to the DNS Forwarding rulebase.

  7. Click Save.

Defining Reverse DNS Forwarding Rules

A reverse DNS request translates an IP address into a domain name. Reverse DNS forwarding allows all reverse DNS queries to be forwarded to a central DNS server that handles reverse lookups, simplifying administration.

A reverse DNS forwarding rule is identified by a backward IP address with the suffix in-addr.arpa. The IP portion indicates the octets of an IP address you want to query the hostname for.

DNS_reverse.png

To define a reverse DNS forwarding rule:

  1. From the navigation menu, click Network > DNS Settings > DNS Forwarding.

  2. Click New. The Add Rule panel opens.

  3. Enter the backward Domain for the traffic that matches this DNS Forwarding rule, followed by in-addr.arpa.

  4. Enter the IP address for the DNS server for this rule. Each rule supports up to six DNS servers.

  5. Click Apply, and then click Save.

Was this article helpful?

3 out of 3 found this helpful

5 comments

Date Votes
  • Comment author
    Matrix Networks

    I have recently had a customer that heavily relied on reverse DNS or DNS PTR records.  I have added the 168.192.in-addr.arpa as a zone to be forwarded to their internal server and this resolved the issue.

    However, I do have different client that uses 10.x.x.x addresses.  On their server they have many x.x.10.in-addr.arpa zones.  Although they have many zones, will one 10.in-addr.arpa forwarder record cover them all?

    Else we would really like an import function here.

    Thanks,

    Brian

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Brian!

    I'm afraid that I don't have a quick answer for you.  However, I will ask my colleagues if they know how to implement this.  If not, I will engage the Product Management Team and ask them to have a look at it.  

    By the way, this is also the sort of question that you can ask on our Community platform.  No need to do this for this question, but you might like to try it out in the future!

    Kind Regards,

    Dermot Doran - Cato Networks Community Manager.

  • Comment author
    Matrix Networks

    Sounds great, I was encouraged to post more.  I guess the comment for this document and topic, would be clarifying the best practice of what to do with reverse zones, and do they belong in the forwarder?

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Brian!

    I have discussed this with colleagues and it should work (i.e. somebody has used DNS forwarding for this purpose in the past). 

    If you have any problems, please let us know by opening up a discussion on the Cato Online Community

    Kind Regards,

    Dermot 

  • Comment author
    vtecson

    Hi Brian,

    Yes; even though the * wildcard does not seem to work, the 10.in-addr.arpa covers all the reverse zone lookups for the entire 10.x.x.x.