You can find the DNS Settings at Services → DNS.
The Domain Name System is mainly used to translate more readable domain names to their numerical IP addresses.
16.7.1. General Settings¶
On the page the DNS server can be enabled or disabled. SSL/TLS is enabled by default and the VT AIR Certificate with port 853 is used. You can change Interfaces In and Interfaces Out and on which Port DNS runs on. The Local Zone Type can be configured and is on Transparent by default. The option DNSSEC controls the Domain Name System Security Extensions and if PTR Records is enabled, PTR Records for Host Overrides get added automatically. DHCP Registration will register the DHCP leases in the DNS server, while Static DHCP Registration will register the DHCP Host Reservations in the DNS server.
By default the DNS Server queries the DNS Root servers and is not forwarding traffic to other servers. If DNS Forward is enabled, you can add multiple DNS Forward Servers with an IP address for each and those are used instead of the Root Servers.
You can export the settings in the top right corner as an Excel spreadsheet.
16.7.2. Advanced Settings¶
Hide Identity if enabled id.server and hostname.bind queries are refused.
Hide Version if enabled version.server and version.bind queries are refused.
Unwanted Reply Threshold if set, a total number of unwanted replies is kept track of in every thread. When it reaches the threshold, a defensive action is taken and a warning is printed to the log.
TTL for Host Cache Entries Time to live for entries in the host cache. The host cache contains roundtrip timing, lameness and EDNS support information.
Number of Queries per Thread the number of queries that every thread will service simultaneously.
Jostle Timeout timeout used when the server is very busy. Set to a value that usually results in one roundtrip to the authority servers.
Harden DNSSEC Data require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes bogus.
DNS Server Override allow DNS server list to be overridden by DHCP/PPP on WAN.
Custom Host Entries for custom host or domainn entries. They will be copied to the configuration directly.
Custom Options custom configuration parameters can be defined here. Please refer to the Unbound documentation at Unbound.
16.7.3. Host Overrides¶
They allow the configuration of a specific DNS entry for a particular host.
16.7.4. Domain Overrides¶
They allow the configuration of a specific DNS server for a particular domain. If you define a domain multiple times, all DNS server will be used together.
16.7.5. DNS Firewall¶
Since most web traffic is encrypted the most effective way to block access to websites is DNS blocklisting. It will send a fake IP back to your client for a domain.
VT AIR uses list of domains in a few categories for you to choose or you can add your own domains and hostnames.
Blocklist Categories allow you to block hosts by different categories.
You can select from the categories: Fakenews, Social, Gambling and Porn. The category Adware and Malware is enabled by default and can’t be disabled. Update Interval is set to weekly by default and can be changed to daily or monthly.
You can add three other blocklists: Easylist, DOH and Spamhaus. Each list can be enabled independently of each other.
Multiple Custom Blocklist entries can be added with a hostname or domains. Each one can be enabled or disabled, independently from the categories.
All subdomains of the entered domain or hostname will be included in the blocklist.
22.214.171.124. Blocklist Details¶
Each blocklist has a Blocklist Details button which opens a modal with detailed information. All hosts and IPs of that blocklist are listed here.
16.7.6. Redirect DNS Requests¶
You can redirect all DNS requests to your VT AIR device and block other DNS servers (especially outside of your network). To do so go to Firewall → NAT → DNAT and click Add.
Select the Interface of your local network e.g. LAN, TCP/UDP as Protocol and the Address Family you want your rule to be active on.
Enable Invert IP Match and select LAN_Address and Port DNS (53) as the Destination. This selects all DNS requests that are not targeted at the local DNS server.
Select Localhost and DNS (53) as the Redirect IP and Port. This redirects all DNS requests to your VT AIR device. Enable Associate Firewall Rule and set NAT Reflection to Disabled.
If you block outside DNS requests you can also effectively use the Blocklist feature described above without configuring each device individually in your network.
16.7.7. DNS Troubleshooting¶
If you use a forward server that returns private IPs, they will be rejected since the DNS server will see them as a DNS rebind attack. In order to deactivate the check for domains, declare them as private in the Custom Host Entries field with private-domain: “mydomain.ending”.
If you use an internet load balancer, more than one WAN at the same time, you need to provide an upstream DNS server and change the mode to forwarding. Otherwise the DNS request might not be answered correctly and you will see hangs in the DNS requests.