Configuring the DNS Control Policy


Configuring the DNS Control Policy

Watch a video about adding a DNS Control rule

Configuring a DNS Control rule provides you with greater control over your DNS traffic.

Prerequisites

  • Ensure that you have configured as necessary the resources that the policies will reference: 
  • Ensure you have set up your internal DNS servers to provide you with the level of control you desire. An iterative configuration of your internal DNS server means the service can identify the user, group, and department the DNS request is coming from. This allows you to define and enforce policies by user, group, department, location, and time. A recursive configuration only allows you to apply rules using location and time.

Non-English characters are not supported in DNS Control rules, with the exception of those from the ISO/IEC 8859-1 character set.

Adding a DNS Control Rule

To configure a DNS Filtering policy rule, follow the instructions below.

  1. Go to Policy > Firewall > DNS Control.
  2. Click Add DNS Filtering Rule.
  3. Enter the rule attributes:
    • Rule Order: The firewall automatically assigns the Rule Order number. Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Choose your Admin Rank. This option appears if you enabled Admin Ranking in the Advanced Settings page.
      Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Rule Name: The firewall automatically creates a Rule Name, which you can change. The maximum length is 31 characters. (Avoid using the names of rules that were previously deleted. If you do, the service will display the logs for the deleted rule and the new rule when you view the logs.)
    • Rule Status: By default, Rule Status shows that the rule is enabled. An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • In the Who, Where, & When tab, you can choose the UsersGroupsDepartments, and Locations to which this rule applies. You can select Any to select all items, or select specific items. You can search for items or click the Add icon to add an item.
      From the Time menu, choose the time interval during which the rule applies. Select Always to apply this rule to all time intervals, or select up to two time intervals. You can search for a time interval or click the Add icon to add a new time interval.
      If you've enabled the policy for unauthenticated users under Advanced Settings, and want to apply this rule to any unauthenticated traffic, see How do I configure the policy for unauthenticated traffic?
    • In the Source IPs tab, you can do the following:
      • Select any number of Source IP Groups that you want to control with this rule.
      • To specify IP addresses, enter any of the following:
        • An individual IP address, such as 192.0.2.1.
        • A subnet, such as 192.0.2.0/24.
        • An IP address range, such as 192.0.2.1 - 192..0.2.5
    • In the Destination/Resolved IPs tab, you can do the following:
      • Select any number of Destination Server IP Groups that you want to control with this rule.
      • To specify IP addresses, enter any of the following:
        • An individual IP address, such as 192.0.2.1.
        • A subnet, such as 192.0.2.0/24.
        • An IP address range, such as 192.0.2.1 - 192..0.2.5
    • In the DNS Application tab, you can do the following: 
      • DNS Tunnels & Network Apps: Select any tunnels that you wish to control. Tunnels are categorized as Commonly Allowed DNS Tunnels, Commonly Blocked DNS Tunnels, or Unknown DNS Tunnels. To learn more, see About DNS Tunnel Detection.
        In addition to controlling tunneling traffic, you can also include specific Web pages, Social Networking sites, Search Engines, or Network Services that you wish to control at the DNS level. 
      • DNS Application Groups: Select any DNS Application Groups that you want to control. To learn more, see About DNS Applications Groups and Adding DNS Application Groups.
      • Resolved IP-Based Countries: Select the countries you want to control. Their destination is identified based on the server location. 
        Requested Domain/Resolved IP Categories: Select the URL categories that you want to control. Destinations are identified based on the URL category of the domain. 
      • DNS Request Type: Select the DNS request types you want to control. 

You can select Any to select all items in a category or select specific items by clicking the checkbox. You can also search for items. For DNS Tunnels & Network Apps and Requested Domain/Resolved IP Categories, selecting a parent category will include all of its members. For example, if you select Commonly Allowed DNS Tunnels as part of your rule, then all tunnels listed as commonly allowed will be included.

By default, Any is selected for all categories in this tab.

  1. Choose the Action that the Zscaler service takes when a session matches the criteria.
    • Allow: Allows the DNS requests and responses.
    • Block: Silently block all DNS requests and responses.
    • Redirect Request: Redirects the DNS requests to the specified DNS server. This can be applied only to the request phase of a DNS transaction. 
      In the DNS Server IP Address field, enter the IP address of the DNS server to which the DNS request is redirected.
    • Redirect Response: Replace the IP address in the response with the specified IP address. This is applicable only to the response phase of a DNS transaction.
      In the IP Address field, enter the IP address of the DNS server to which the DNS request is redirected.
      The Zscaler firewall service logs all sessions of the rule individually, except HTTP(S). This option cannot be changed.
  2. Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
  3. Click Save and activate the change.

After adding rules to the DNS Control Policy, you may also need to do the following before enabling firewall for your locations.

DNS Request Type Description
A IPv4 address record
A6 IPv6 address record
AAAA IPv6 address record
AFSDB AFS database record
APL Address Prefix List
ATMA Asynchronous Transfer Mode address
CDNSKEY Child DNSKEY
CDS Child DS
CERT Certificate record
CNAME Canonical name record
DHCID DHCP identifier
DNAME Non-Terminal DNS Name Redirection
DNSKEY DNS Key record
DS Delegation signer
EID DNS Endpoint Identifier resource records
GPOS Group Policy Objects
HINFO Host Information Record
HIP Host Identity Protocol
IPSECKEY IPSec Key
ISDN ISDN address record
KEY Key record
KX Key Exchanger record
LOC Location record
MB Mailbox record
MD Mail destination record
MF Mail forwarding record
MG Mail group member record
MINFO Mailbox or mail list record
MR Renamed mailbox record
MX Mail Exchanger record
NAPTR Naming Authority Pointer
NIMLOC Nimrod Locator resource records
NINFO DNS zone status
NS Name server record
NSAP NSAP address record
NSAP_PTR A pointer to an NSAP address record
NSEC Next Secure record
NSEC3 Next Secure record version 3
NSEC3PARAM NSEC3 parameters
NULL A null resource record
NXT The next existing server in the zone
OPENPGPKEY OpenPGP public key record
OPT An optional code
PTR Pointer record
PX X.400 mail mapping information
RKEY Record for storing keys which encrypt NAPTR records
RP Responsible Person
RRSIG DNSSEC signature
RT Route through record
SIG Signature
SINK Record for the storage of miscellaneous structured information
SOA Start of an authority record zone
SRV Service locator
SSHFP SSH Public Key Fingerprint
TALINK Trust Anchor LINK
Text File  
TLSA TLSA certificate association
WKS A well-known service description    
X25 X.25 PSDN address