DNS translation
Using this feature, you can translate a DNS resolved IP address to another IP address you specify.
For example, website A has a public address 1.2.3.4. However, when your internal network users visit this website, you want them to connect to an internal host, say, 192.168.3.4. In this case, you can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable, for example, if you want public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.
Sample configuration
This example configuration forces the DNS Filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4. So when internal network users do DNS query for www.example.com, they do not get the original www.example.com IP of 93.184.216.34. It will be replaced with 192.168.3.4.
To configure DNS translation on GUI:
- Go to Security Profiles > DNS Filter and edit or create a DNS Filter profile.
- Enable DNS Translation and click Create New.
- Enter the Original Destination (the domain’s original IP address), the Translated Destination IP address, and the Network Mask (in most cases, it’s 255.255.255.255).
To configure DNS translation on CLI:
config dnsfilter profile edit “demo” set comment ” … config dns-translation <<<==== edit 1 set src 93.184.216.34 set dst 192.168.3.4
set netmask 255.255.255.255
next
end set redirect-portal 0.0.0.0 set redirect-portal6 ::
set youtube-restrict strict
next
end
To check DNS translation using a command line tool before DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27030
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0
;; QUESTION SECTION: |
|
|
|
|
;; www.example.com.
;; ANSWER SECTION: |
|
IN |
A |
|
www.example.com.
;; AUTHORITY SECTION: |
33946 |
IN |
A |
93.184.216.34 |
example.com. |
18578 |
IN |
NS |
b.iana-servers.net. |
example.com. |
18578 |
IN |
NS |
a.iana-servers.net. |
;; Received 97 B
;; Time 2019-04-08 10:47:26 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms
To check DNS translation using a command line tool after DNS translation:
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62060
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0
;; QUESTION SECTION: |
|
|
|
|
;; www.example.com.
;; ANSWER SECTION: |
|
IN |
A |
|
www.example.com. into 192.168.3.4
;; AUTHORITY SECTION: |
32491 |
IN |
A |
192.168.3.4 <<<==== resolved IP translated |
example.com. |
17123 |
IN |
NS |
b.iana-servers.net. |
example.com. |
17123 |
IN |
NS |
a.iana-servers.net. |
;; Received 97 B
;; Time 2019-04-08 11:11:41 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms
How DNS translation network mask work
The following is an example of DNS translation and result.
config dns-translation edit 1
set src 93.184.216.34
set dst 1.2.3.4
set netmask 255.255.224.0 next
end
# dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6736
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0
;; QUESTION SECTION: |
|
|
|
|
;; www.example.com.
;; ANSWER SECTION: |
|
IN |
A |
|
www.example.com.
;; AUTHORITY SECTION: |
29322 |
IN |
A |
1.2.24.34 |
example.com. |
13954 |
IN |
NS |
a.iana-servers.net. |
example.com. |
13954 |
IN |
NS |
b.iana-servers.net. |
;; Received 97 B
;; Time 2019-04-08 12:04:30 PDT
;; From 172.16.95.16@53(UDP) in 2.0 ms
- AND src(Orginal IP) with negative netmask (93.184.216.34 & ~255.255.224.0)
01011101.10111000.11011000.00100010 93.184.216.34 <– ip
00000000.00000000.00011111.11111111 ~255.255.224.0 <– ~netmask
——————————————————– &
00000000.00000000.00011000.00100010 0.0.24.34 <- right bits
- AND dst(Translated IP) with netmask
00000001.00000010.00000011.00000100 1.2.3.4 <- dst
11111111.11111111.11100000.00000000 255.255.224.0 <- netmask
——————————————————– & 00000001.00000010.00000000.00000000 1.2.0.0 <- left bits
- Final step 2 bitwise-OR 3:
00000000.00000000.00011000.00100010 0.0.24.34
00000001.00000010.00000000.00000000 1.2.0.0
——————————————————– | 00000001.00000010.00011000.00100010 1.2.24.34