Forum Discussion

milindingle's avatar
milindingle
Icon for Joining the Conversation rankJoining the Conversation
13 hours ago

Configure a Private DNS server with Cato DNS

Does anyone configure a private DNS server (Windows DNS server) with the Cato default DNS server?

We have a private DNS server to resolve the internal hosts.

But I am a bit confused about how I can configure this with Cato DNS?

Any leads would be appreciated.

3 Replies

  • milindingle's avatar
    milindingle
    Icon for Joining the Conversation rankJoining the Conversation
    10 hours ago

    Hey Nath,

    Thanks for the reply.

    So you have configured a DNS forwarding rule on CMA only.

    Also, you have forwarded all the required domains to the private DNS server IP (from CMA), provided you have already mapped the domain name with IP on the private DNS server.

    Please confirm this if I am correct with the above data.

    Waiting for your reply. Thanks!

     

    • Nath's avatar
      Nath
      Icon for Finding a Voice rankFinding a Voice
      10 hours ago

      Hi.  Our DNS Forwarding rules in the CMA are for all the required private domains and forward to the private DNS Server IP.  

      We have configured the external forwarders on the private DNS server to point to the Cato DNS Servers.  This means if there is a DNS query for something the DNS server cannot resolve locally i.e. the internet, it uses Cato DNS to resolve.  This is better than using public DNS servers as Cato DNS gives:

      Performance Benefits:

      • Global PoP caching - Cato's DNS service leverages the global PoP locations in the Cato Cloud to provide fast DNS resolution and significantly reduce DNS latency. PoPs store DNS responses in cache, so future requests are served more quickly from the closest PoP to your location.
      • Quick response times - Hosts connecting to the Cato Cloud retrieve DNS responses from the PoP they're connected to (usually the closest one), resulting in very quick response times.

      Security Protections:

      • DNS inspection - Cato's IPS service includes DNS Protection that analyzes DNS requests and responses, providing protections based on reputation, behavioral signatures, and heuristics.
      • Threat blocking - Malicious DNS requests are blocked before any connection is established between the host and malicious servers (no TCP or UDP handshake occurs).
      • Multiple protection types - Includes protection against malicious domains, phishing campaigns, DNS tunneling, and more.

       

      If you're using DHCP, you can set the DNS servers as the Cato DNS servers.  That will then allow private domains to be forwarded to your private DNS server, and the internet to be forwarded to Cato.

  • Nath's avatar
    Nath
    Icon for Finding a Voice rankFinding a Voice
    11 hours ago

    We set the Windows DNS server external forwarders to be the Cato DNS Servers:
    10.254.254.1
    8.8.8.8

    It works really well for us.

    That was more of a catch-all for us, because the Cato DNS Servers are already configured in the CMA for VPN users, and our DHCP gives out the Cato DNS Servers too.  We added in DNS Forwarding rules to the CMA to match what is on the privacy DNS server.  It is a bit of duplication, but ensures we had comprehensive coverage of ensuring Cato DNS resolves everything (user devices and non-user devices DNS lookups).