Overview
This document describes how to configure your network to use DNS Defense Cloud in a network managed with Unix Servers - using DHCP or an existing DNS Server. If you need assistance configuring your environment to enable DNS Defense Cloud, you can contact our support team.
Prerequisites
Before changing your configuration, ensure that DNS queries can be sent to the ThreatSTOP DNS Server IP address from the existing network:
- From a computer with the same public IP address as the computers that will send DNS requests (endpoints or existing DNS server), open a Windows Powershell
- Use nslookup to test a DNS query, e.g.:
$ nslookup example.com THREATSTOP_SERVER
Address: THREATSTOP_SERVER
Non-authoritative answer:
Name: example.com
Addresses: 93.184.216.34
If the query times out, please refer to the DNS Defense Cloud configuration documentation.
ISC DHCP
If you are using the ISC DHCP Server on a Unix system, changing the DNS server used by DHCP client endpoints is done by changing the Name Server setting in the Server Options. This maybe done at the server level or on a per-scope basis.
If you are using multiple DHCP servers, the following steps need to be repeated for each DHCP server.
- Locate the DHCP server configuration file, e.g. /etc/dhcp/dhcpd.conf.
- The DNS server is configured with the domain-name-servers option.
- It may be configured on a global basis or set independently for each subnet.
- To start using DNS Defense Cloud, set the domain-name-servers settings to the ThreatSTOP Service IP Addresses
- Save the configuration file and restart the DHCP service
- Debian: sudo systemctl restart isc-dhcp-server
- Red Hat: sudo systemctl restart dhcpd
option domain-name-server a.b.c.d, e.f.g.h;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.1 192.168.1.254;
option routers 192.168.1.1;
option domain-name-servers a.b.c.d, e.f.g.h;
}
When DHCP clients renewal their lease, the new server setting will be applied and they will be protected by DNS Defense Cloud.
Unix Server: DNS Server (BIND)
If you are using a BIND DNS Server, it may be configured in one of three modes:
- as a recursor, performing DNS queries with authoritative DNS servers
- as a forward-only server, sending DNS queries to one or more upstream DNS server(s).
- as a forwarder with fallback to recursor mode if forwarders are not responding.
To find out your current mode:
- Locate the options in your BIND configuration file(s), typically:
- Debian: /etc/bind/named.conf.options.
- Red Hat: /etc/named.conf.
- In the options section, check if the forwarders and forward parameters are configured.
Forwarders option | Forward option | Mode |
---|---|---|
No | Not applicable | Recursor |
Yes | only | Forward-Only |
Yes | first | Forward with fallback |
DNS Defense Cloud configuration
To start using DNS Defense Cloud, you will need to use the DNS servers as forwarders. You can choose to set forward to first to fallback to recursor mode although the DNS Policy is not applied to queries sent in recursor mode.
Server in Recursor mode
To enable DNS Defense Cloud:
- edit the options in the BIND configuration.
- set the forwarders to the DNS Defense Cloud Service IP addresses.
- set forward to only or first.
- reconfigure BIND
Forward-Only and Forward (with fallback)
To enable DNS Defense Cloud:
- edit the options in the BIND configuration.
- remove the existing forwarder IP addresses
- set the forwarders to the DNS Defense Cloud Service IP addresses.
- reconfigure BIND
Unix Server: DNS Server (PowerDNS)
If you are using a PowerDNS Recursor DNS Server, it may be configured in one of three modes:
- as a recursor only
- as a forwarder for all domain names
- as a forwarder for selected domain names
To find out your current mode, review the forward-zones-recurse setting in your PowerDNS configuration file, typically /usr/local/etc/powerdns/pdns-recursor.conf or /etc/pdns-recursor/recursor.conf. The setting contains a list of zone name and DNS forwarder IP addresses.
Setting value | Mode |
---|---|
Not set | Recursor |
.=IP_ADDRESS | All queries are forwarded |
zone_name=IP_ADDRESS | Queries for zone_name are forwarded |
DNS Defense Cloud configuration
To start using DNS Defense Cloud, you will need to use the DNS servers as forwarders. You can choose to forward queries for specific zones only although the ThreatSTOP DNS Policy is not applied to queries sent to other DNS servers.
To enable DNS Defense Cloud:
- edit the forward-zones-recurse setting setting in the PowerDNS Recursor configuration.
- to forward all zones, set the value to forward-zones-recurse=.=THREATSTOP_IP_ADDR_1;THREATSTOP_IP_ADDR_2
- to forward specific zones only, replace the value of the existing forwarders with the ThreatSTOP DNS Service IP Addresses.
- restart PowerDNS Recursor, e.g. systemctl restart pdns-recursor