< Home

Configuring DNS Filtering

A DNS filtering profile defines actions for domain names matching the blacklist, whitelist, user-defined categories, and predefined categories to allow or block access to these domain names.A remote query server is required to use the remote query function.

Prerequisites

The prerequisites for querying categories on a remote server are as follows:

  • The URL remote query license is activated and valid.

  • The DNS server address is set, and the DNS server can correctly resolve domain name sec.huawei.com.

  • The FW is reachable to sec.huawei.com.

  • A security policy has been configured to permit the following user-defined service traffic to pass through the FW:

    • TCP: The destination port number is 443 (for interaction with scheduling center).
    • TCP: The destination port number is 12612 (for interaction with a dispatch server).
    • UDP: The destination port number is 12600 (for interaction with a query server).

Context

The priority of a whitelist is higher than that of a blacklist. The application scenarios of the blacklist and whitelist are as follows:

  • Blacklist

    To improve working efficiency of employees and optimize enterprise network bandwidth usage, online behavior of employees needs to be controlled. Employees are not allowed to access entertainment, game, and video websites.

    You can configure a domain name blacklist to prevent users from accessing the specified domain names.

  • Whitelist

    Enterprises have special requirements and do not need to filter requests for certain websites.

    You can configure a domain name whitelist to allow users to access the specified domain names.

The FW has a default DNS filtering profile named default. In the default profile, the default action for the malicious website category is block, and the default action for other categories is permit. You cannot modify or delete the default profile.

When you reference a profile in a security policy, you can view the name of the default profile in the drop-down list. To view the configuration result, choose System > Configuration File Management. In Current Configuration, you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

The FW supports user-defined profiles. You can specify the action for each application category.

Procedure

  1. Optional: To use the DNS remote query function, configure the remote query service.

    The remote query server takes effect for the remote query function of both URL filtering and DNS filtering. For detailed configurations, see Configuring Remote Query Service.

  2. Choose Object > Security Profiles > DNS Filtering. In DNS Filtering Profile List, click Add.
  3. Configure a DNS filtering profile.

    Parameter

    Note

    Name

    Name of the DNS filtering profile

    Description

    Description of a DNS filtering profile

    The description helps you understand the functions of the DNS filtering profile and maintain this profile.

    Action Mode

    If a domain name belongs to multiple DNS categories, the FW takes an action based on the action mode.

    • Strict: If the action mode is strict mode, the strictest action is implemented on the domain name. For example, a domain name matches two categories, and the actions are respectively alert and block. The block action will be implemented on the domain name.
    • Loose: If the action mode is loose mode, the loosest action is implemented on the domain name. For example, a domain name matches two categories, and the actions are respectively alert and block. The alert action will be implemented on the domain name.

    Default Action

    If the domain name does not match any blacklist, whitelist, or domain name category in the local cache and the remote query function is unavailable, the FW will take the default action, which is allow, alert, or block.

    • Allow: Allows access to the domain name.
    • Alert: Allows access to the domain name and generates a log.
    • Block: Blocks access to the domain name and generates a log.

    Redirect

    Select Enable to enable redirection. The FW returns the DNS request blocked by DNS filtering to the redirection IP address. By default, the redirection function is disabled.

    Redirect IP Address

    You need to configure this item only after you enable the Redirect function.

    The FW redirects the DNS request blocked by DNS filtering to the redirection IP address.

    Safe Search

    Select Enable to enable safe search. By default, the pre-defined DNS safe search function is disabled.

    The safe search function of the FW applies to scenarios where network administrators regulate Internet access behavior and enable safe search for all Internet access users in a unified manner. You can enable the pre-defined DNS safe search function to filter search results of Bing, Google, and YouTube.

    Whitelist

    The FW looks up the domain names in the whitelist for the resolved domain name. If a match is found, the FW permits the DNS request.

    Blacklist

    The FW looks up the domain names in the blacklist for the resolved domain name. If a match is found, the FW blocks the DNS request. In addition, if the redirection function is enabled, the FW redirects the user to a specified IP address.

    Host

    Whitelisted or blacklisted domain name

    DNS Filtering Level

    NOTE:

    DNS filtering level takes effect only on predefined categories. That is, selecting the DNS filtering level does not change the actions for user-defined categories, and setting the actions for user-defined categories does not change the DNS filtering level.

    The actions for user-defined categories must be manually configured by the administrator. The default action is Allow.

    DNS filtering level is including High, Medium, Low, or User-defined.

    After you select High, Medium, or Low, the system sets an initial action for each predefined category.

    High indicates the stricter action, and Low indicates the looser action.

    • If you select User-defined after selecting High, Medium, or Low, the action for each predefined category keeps the same as that for the original DNS filtering level.
    • If you select High, Medium, or Low, you need to manually change the action for each predefined category. In this case, DNS Filtering Level changes to User-defined.
    NOTE:

    You can also create a user-defined DNS category by clicking Add DNS Category next to the User-defined Category.

  4. Click OK.
  5. Reference the profile on security policies. For details on how to configure security policies, see Configuring a Security Policy Using the Web UI.
  6. Click Commit.

    The configuration does not take effect immediately after you create or modify the profile. You must click Commit on the upper right of the interface to apply the configuration. To save time, you can submit the configuration after all operations on the profile are complete.

Follow-up Procedure

Check or release the reference between the security policy and profile.

  1. To check for profile that is referenced by security policies, click View under References in the list of profile.

  2. To release the reference between the security policy and profile, choose the security policy and click Release.

    Click Release All, you can release all the references.

Parent Topic: Configuring DNS Filtering Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >