Cato Networks Knowledge Base

Configuring DNS Settings

  • Updated

This article explains how to configure the Cato Management Application to work with private DNS servers and customized DNS suffixes for the entire account, and for specific sites, groups, and users.

Overview of the Cato DNS Server

By default, Cato Networks provides DNS service for your account and acts as your DNS server. You can use the Cato Management Application to configure Cato to resolve private DNS servers.

When the DNS servers are configured for the entire account, the DNS server in the Cato Cloud attempts to resolve every DNS query sent over the Cato network. If the DNS query is not resolved, then Cato Cloud uses authoritative DNS to resolve the query. As a best practice, we recommend that you configure two different DNS servers to offer the best security, performance, and redundancy.

Security: Configuring groups to use different DNS servers lets you protect your organization's assets and limit access to internal DNS servers. In this scenario, traffic from guests logging in to the network only use public DNS servers, while internal users are directed to the internal DNS servers.

Performance: Using different local DNS servers for each site within the organization means that DNS latency is reduced. Cato PoPs store DNS responses in the cache so that future DNS requests are resolved more quickly. In turn, this means DNS response time is faster as well. This results in a more efficient use of resources and better performance across the network.

Redundancy: To provide added redundancy, you can define primary and secondary DNS servers. If the primary DNS server is not available, the request automatically uses the secondary DNS server to resolve the query.

For more information about how DNS works with the Cato Cloud, see Best Practices for DNS and Your Cato Account.

Configuring DNS Settings for the Account

You can configure the following DNS settings for the entire account:

DNS_Settings.png

When DNS settings between entities conflict, the entity closest to the host (from host > site > group > account) takes precedence. For example, site settings take precedence over group settings, and group settings take precedence over account settings. For configuring DNS settings for individual sites, groups or users, see Customizing DNS Servers and Suffixes below.

By default, hosts that get their IP address from Cato are configured with the following DNS servers:

  • Primary DNS: 10.254.254.1

  • Secondary DNS: 8.8.8.8

Note

Note: You can replace the Cato Cloud default servers with custom DNS servers. In this case, the following DNS records need to be added to your DNS servers to maintain service functionality:

  • vpn.catonetworks.net --> 10.254.254.5 (or the customized reserve service range x.y.z.2 IP address)

  • tunnel-api.catonetworks.com --> 10.254.254.3 (or the customized reserve service range x.y.z.7 IP address)

Working with Hierarchy for DNS Settings

You can configure the DNS settings on different objects in the Cato Management Application, for example: settings for the entire account, and for specific groups. When there is a conflict between these objects, the precedence is for the entity closest to the host for the user:

  1. Users - closest to the host and highest precedence

  2. Sites

  3. Groups

  4. Account - lowest precedence

In other words, if there are different DNS settings for a site and the account, the DHCP settings for the site are used because the site is higher precedence than the account. For more about DNS settings for sites, users, and groups, see below Customizing DNS Servers and Suffixes.

Defining DNS Server Settings and Suffixes for an Account

The DNS Settings screen lets you configure private DNS servers for your account. You can also add DNS suffixes to the queries for LAN hosts and Cato Clients that are connected to Cato Cloud.

The DNS suffixes are configured via DHCP (where used), and Clients configure the local operating system's DNS suffixes. For example: two DNS suffixes “myorganization.local” and “myorganization.com” are configured in this order. When a user attempts to access a server named “storage”, the operating system initially sends a DNS query for the name "storage.myorganization.local".

If this name represents an existing server, a connection is made to that server. Otherwise, the operating system proceeds to query for "storage.myorganization.com", and then tries "storage".

To define specific DNS servers for your account:

  1. From the navigation menu, click Network > DNS Settings.

    The Settings & Suffix tab is displayed.

  2. Enter the IP addresses for the Primary DNS (required) and Secondary DNS (optional) servers.

  3. Optional: In the DNS Suffix section, enter the suffix to append.

  4. Click Save.

Customizing DNS Servers and Suffixes

Overview

You can customize private DNS servers and set DNS suffixes for your entire account or for groups, specific sites and specific hosts or users.

dns-sitelevel.png

Customizing DNS Servers and Suffixes for Sites

You can improve network performance for sites based in different locations by configuring different internal DNS servers based on location. The Cato Cloud provide your hosts fast and global DNS resolving that can significantly reduce DNS latency. Customizing the site's DNS servers to retrieve the DNS responses from the closest PoP, can significantly improve efficiency and response time.

To customize DNS settings for a site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Site Settings > DNS.

  3. Enter the IP addresses for the Primary DNS (required) and Secondary DNS (optional) servers.

  4. Optional: In the DNS Suffix section, enter the suffix to append.

  5. Click Save.

Customizing DNS Servers and Suffixes for Groups or User Groups

One way to protect your corporate assets is to limit access and only use internal DNS servers. For example, you might want to use the default DNS servers for employees while having guests connect to a public network by configuring the DNS settings for the public group or User Group to only resolve from the public DNS servers.

To customize the DNS settings for a group or User Group:

  1. From the navigation menu, click Assets > Groups. The Groups screen opens.

    For User Groups, click Access > User Groups. The User Groups screen opens.

  2. In the list, click on the group or User Group to customize. The General screen for that group or User Group opens.

  3. From the navigation menu, click DNS.

  4. Enter the IP addresses for the Primary DNS (required) and Secondary DNS (optional) servers.

  5. Optional: In the DNS Suffix section, enter the suffix to append.

  6. Click Save.

Customizing DNS Servers and Suffixes for Users

Some users, for example mobile or remote users, may need to connect directly to the Cato Cloud rather than through the account’s servers. In these cases, users might encounter connectivity problems or are unable to access internal resources.

For example, if you configure DNS settings for the site rather than for the individual users, users can’t access these internal resources in your domain. This is because the DNS server can’t resolve DNS queries for Cato Client since they aren't connected to the site. You can easily resolve this issue by configuring the DNS settings for specific users.

To customize DNS settings for a user:

  1. From the navigation menu, click Access > Client Access.

  2. In the User list, select the check box next to the user's name.

  3. From the navigation menu, click User Settings > DNS.

  4. Enter the IP addresses for the Primary DNS (required) and Secondary DNS (optional) servers.

  5. Optional: In the DNS Suffix section, enter the suffix to append.

  6. Click Save.

Was this article helpful?

1 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.