This article explains how to configure the Cato Management Application to work with private DNS servers and customized DNS suffixes for the entire account, and for specific sites, groups, and users.
By default, Cato Networks provides DNS service for your account and acts as your DNS server. You can use the Cato Management Application to configure Cato to resolve private DNS servers.
When the DNS servers are configured for the entire account, the DNS server in the Cato Cloud attempts to resolve every DNS query sent over the Cato network. If the DNS query is not resolved, then Cato Cloud uses authoritative DNS to resolve the query. As a best practice, we recommend that you configure two different DNS servers to offer the best security, performance, and redundancy.
Security: Configuring groups to use different DNS servers lets you protect your organization's assets and limit access to internal DNS servers. In this scenario, traffic from guests logging in to the network only use public DNS servers, while internal users are directed to the internal DNS servers.
Performance: Using different local DNS servers for each site within the organization means that DNS latency is reduced. Cato PoPs store DNS responses in the cache so that future DNS requests are resolved more quickly. In turn, this means DNS response time is faster as well. This results in a more efficient use of resources and better performance across the network.
Redundancy: To provide added redundancy, you can define primary and secondary DNS servers. If the primary DNS server is not available, the request automatically uses the secondary DNS server to resolve the query.
For more information about how DNS works with the Cato Cloud, see Best Practices for DNS and Your Cato Account
You can configure the following DNS settings for the entire account:
-
DNS settings and suffixes
-
DNS forwarding (see Defining DNS Forwarding Rules)
When DNS settings between entities conflict, the entity closest to the host (from host > site > group > account) takes precedence. For example, site settings take precedence over group settings, and group settings take precedence over account settings. For configuring DNS settings for individual sites, groups or users, see below Customizing DNS Servers and Suffixes for CMA Entities.
By default, hosts that get their IP address from Cato are configured with the following DNS servers:
-
Primary DNS: 10.254.254.1
-
Secondary DNS: 8.8.8.8
Note
Note: You can replace the Cato Cloud default servers with custom DNS servers. In this case, the following DNS records need to be added to your DNS servers to maintain service functionality:
-
vpn.catonetworks.net --> 10.254.254.5 (or the customized reserve service range x.y.z.2 IP address)
-
tunnel-api.catonetworks.com --> 10.254.254.3 (or the customized reserve service range x.y.z.7 IP address)
However, for custom DNS servers that send traffic over the Cato Cloud, you don't need to add these DNS records. The PoPs are able to resolve the DNS queries for the custom servers.
You can configure the DNS settings on different objects in the Cato Management Application, for example: settings for the entire account, and for specific groups. When there is a conflict between these objects, the precedence is for the entity closest to the host for the user:
-
Users - closest to the host and highest precedence
-
Sites
-
Groups
-
Account - lowest precedence
In other words, if there are different DNS settings for a site and the account, the DHCP settings for the site are used because the site is higher precedence than the account. For more about DNS settings for sites, users, and groups, see below Customizing DNS Servers and Suffixes.
The DNS Settings screen lets you configure private DNS servers for your account. You can also add DNS suffixes to the queries for LAN hosts and Cato Clients that are connected to Cato Cloud.
The DNS suffixes are configured via DHCP (where used), and Clients configure the local operating system's DNS suffixes. For example: two DNS suffixes “myorganization.local” and “myorganization.com” are configured in this order. When a user attempts to access a server named “storage”, the operating system initially sends a DNS query for the name "storage.myorganization.local".
If this name represents an existing server, a connection is made to that server. Otherwise, the operating system proceeds to query for "storage.myorganization.com", and then tries "storage".
To define specific DNS servers for your account:
-
From the navigation menu, click Network > DNS Settings.
The Settings & Suffix tab is displayed.
-
Enter the IP addresses for the Primary DNS (required) and Secondary DNS (optional) servers.
-
Optional: In the DNS Suffix section, enter the suffix to append.
-
Click Save.
For LAN hosts that have static IP settings, and the DNS server IP address is similar to the default gateway IP address (Socket LAN interface IP), you can enable the Socket sites to accept DNS requests sent to the Socket LAN interface IP address. This is a global setting for the account, and you can choose to disable this setting for specific Socket sites.
When this setting is enabled, the Socket relays the DNS request packets to the connected PoP for further processing. All DNS requests are processed according to the DNS settings configuration (for example, DNS forwarding) defined for the account or site.
Note
Note: Accepting DNS requests sent to the Socket LAN interface is supported from Socket v16.0 and higher.
To enable accepting DNS requests sent to the Socket LAN interface for the account:
-
From the navigation menu, click Network > DNS Settings.
The Settings & Suffix tab is displayed.
-
Select Accept DNS requests sent to Socket LAN interface IP.
-
Click Save.
When the account is enabled to accept DNS request sent to the Socket LAN interface, you can disable this setting for specific sites.
To disable accepting DNS requests sent to the Socket LAN interface for a specific site:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Advanced Configuration.
-
Click the row for Disable site DNS relay.
The Edit - Disable site DNS relay panel opens.
-
Use the Enabled toggle to enable this setting. The toggle is green when enabled.
-
In Value, select On.
-
Click Apply, and then click Save.
You can customize private DNS servers and set DNS suffixes for Cato Management Application (CMA) entities such as groups, specific sites, and hosts or users.
You can improve network performance for sites based in different locations by configuring different internal DNS servers based on location. The Cato Cloud provide your hosts fast and global DNS resolving that can significantly reduce DNS latency. Customizing the site's DNS servers to retrieve the DNS responses from the closest PoP, can significantly improve efficiency and response time.
To customize DNS settings for a site:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > DNS.
-
Enter the IP addresses for the Primary DNS (required) and Secondary DNS (optional) servers.
-
Optional: In the DNS Suffix section, enter the suffix to append.
-
Click Save.
One way to protect your corporate assets is to limit access and only use internal DNS servers. For example, you might want to use the default DNS servers for employees while having guests connect to a public network by configuring the DNS settings for the public group or User Group to only resolve from the public DNS servers.
Some users, for example mobile or remote users, may need to connect directly to the Cato Cloud rather than through the account’s servers. In these cases, users might encounter connectivity problems or are unable to access internal resources. In addition, if you configure DNS settings for the site rather than for the individual users, users can’t access these internal resources in your domain. This is because the DNS server can’t resolve DNS queries for Cato Client since they aren't connected to the site. You can easily resolve this issue by configuring the DNS settings for specific users.
To customize DNS settings for a site:
-
From the navigation menu, click Assets > Groups and select the group.
-
From the navigation menu, click DNS.
-
Enter the IP addresses for the Primary DNS (required) and Secondary DNS (optional) servers.
-
Optional: In the DNS Suffix section, enter the suffix to append.
-
Click Save.
For more information on customizing DNS settings for specific users or User groups, see Centralized Management of SDP User DNS Settings.
1 comment
Updated article with new DNS feature: Accepting DNS Requests Sent to Socket LAN Interface (requires Socket v16)
Please sign in to leave a comment.