15.7. DNS

You can find the DNS Settings at Services → DNS.

The Domain Name System is mainly used to translate more readable domain names to their numerical IP addresses.

15.7.1. General Settings


On the page the DNS server can be enabled or disabled. You can change Interfaces In and Interfaces Out and on which Port DNS runs on. The Local Zone Type can be configured and is on Transparent by default. The option DNSSEC controls the Domain Name System Security Extensions and if PTR Records is enabled, PTR Records for Host Overrides get added automatically. DHCP Registration will register the DHCP leases in the DNS server, while Static DHCP Registration will register the DHCP Host Reservations in the DNS server.

By default the DNS Server queries the DNS Root servers and is not forwarding traffic to other servers. If DNS Forward is enabled, you can add multiple DNS Forward Servers with an IP address for each and those are used instead of the Root Servers.

15.7.2. Advanced Settings


Hide Identity if enabled id.server and hostname.bind queries are refused.

Hide Version if enabled version.server and version.bind queries are refused.

Unwanted Reply Threshold if set, a total number of unwanted replies is kept track of in every thread. When it reaches the threshold, a defensive action is taken and a warning is printed to the log.

TTL for Host Cache Entries Time to live for entries in the host cache. The host cache contains roundtrip timing, lameness and EDNS support information.

Number of Queries per Thread the number of queries that every thread will service simultaneously.

Jostle Timeout timeout used when the server is very busy. Set to a value that usually results in one roundtrip to the authority servers.

Harden DNSSEC Data require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes bogus.

DNS Server Override allow DNS server list to be overridden by DHCP/PPP on WAN.

Custom Options custom configuration parameters can be defined here. Please refer to the Unbound documentation at Unbound.

15.7.3. Host Overrides

They allow the configuration of a specific DNS entry for a particular host.

15.7.4. Domain Overrides

They allow the configuration of a specific DNS server for a particular domain.

15.7.5. Blocklist


Since most web traffic is encrypted the most effective way to block access to websites is DNS blocklisting. It will send a fake IP back to your client for a domain.

VT AIR uses list of domains in a few categories for you to choose or you can add your own domains and hostnames. Categories

Blocklist Categories allow you to block hosts by different categories.

You can select from the categories: Fakenews, Social, Gambling and Porn. The category Adware and Malware is enabled by default and can’t be disabled. Update Interval is set to weekly by default and can be changed to daily or monthly. Custom

Multiple Custom Blocklist entries can be added with a hostname or domains. Each one can be enabled or disabled, independently from the categories.

All subdomains of the entered domain or hostname will be included in the blocklist.

15.7.6. Redirect DNS Requests

You can redirect all DNS requests to your VT AIR device and block other DNS servers (especially outside of your network). To do so go to Firewall → NAT → DNAT and click Add.

Select the Interface of your local network e.g. LAN, TCP/UDP as Protocol and the Address Family you want your rule to be active on.

Enable Invert IP Match and select LAN_Address and Port DNS (53) as the Destination. This selects all DNS requests that are not targeted at the local DNS server.

Select Localhost and DNS (53) as the Redirect IP and Port. This redirects all DNS requests to your VT AIR device. Enable Associate Firewall Rule and set NAT Reflection to Disabled.

DNS Request Redirect

If you block outside DNS requests you can also effectively use the Blocklist feature described above without configuring each device individually in your network.