A DNS filtering profile defines actions for domain names matching the blacklist, whitelist, user-defined categories, and predefined categories to allow or block access to these domain names.A remote query server is required to use the remote query function.
The prerequisites for querying categories on a remote server are as follows:
The DNS server address is set, and the DNS server can correctly resolve domain name sec.huawei.com.
A security policy has been configured to permit the following user-defined service traffic to pass through the FW:
The priority of a whitelist is higher than that of a blacklist. The application scenarios of the blacklist and whitelist are as follows:
To improve working efficiency of employees and optimize enterprise network bandwidth usage, online behavior of employees needs to be controlled. Employees are not allowed to access entertainment, game, and video websites.
You can configure a domain name blacklist to prevent users from accessing the specified domain names.
Enterprises have special requirements and do not need to filter requests for certain websites.
You can configure a domain name whitelist to allow users to access the specified domain names.
The FW has a default DNS filtering profile named default. In the default profile, the default action for the malicious website category is block, and the default action for other categories is permit. The default profile cannot be modified or deleted.
You can run the display profile type dns-filter name default command on the CLI to view the configuration information about the default profile. If you use the CLI to reference the default profile in a security policy, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.
The FW supports user-defined profiles. You can specify the action for each application category.
The remote query server takes effect for the remote query function of both URL filtering and DNS filtering. For detailed configurations, see Configuring Remote Query Service.
Configure the timeout time of remote query and the timeout action.
url-filter query timeout { time time | action { alert | allow | block } } *
By default, the timeout time is 3 seconds, and the timeout action is permit.
Configure the aging time of the predefined DNS category cache.
url-filter cache aging-period aging-period
To ensure the effectiveness of predefined DNS categories, the system periodically queries DNS categories on a remote server. The query interval is specified in aging-period. If the category of a domain name changes, the system updates the corresponding information in the cache.
Configure the interval and time for the system to back up cached predefined DNS categories to the predefined DNS category database.
url-filter cache backup-period backup-time backup-period backup-time backup-time
By default, the backup interval is 7 days, and the backup time is 00:00.
Cached predefined DNS categories can be periodically backed up to the predefined DNS category database. When the device restarts, it automatically loads the latest predefined DNS category database file, reducing self-learning workloads and improving detection efficiency.
description description
add { blacklist | whitelist } host-text
category { pre-defined [ category-id category-id | subcategory-id subcategory-id ] | user-defined [ name category-name ] } action { allow | alert | block }
You can run this command to set an action for a predefined or user-defined DNS category.
category pre-defined control-level { high | low | medium }
This command takes effect only on predefined categories.
After you set the control level, the system sets an initial action for each predefined category. High indicates the stricter action, and Low indicates the looser action.
category action mode { strict | loose }
The default action mode for a DNS category is strict mode.
If a domain name belongs to multiple DNS categories, the FW takes an action based on the action mode.
If the action mode is strict mode, the strictest action is implemented on the domain name. For example, a domain name matches two categories, and the actions are respectively alert and block. The block action will be implemented on the domain name.
If the action mode is loose mode, the loosest action is implemented on the domain name. For example, a domain name matches two categories, and the actions are respectively alert and block. The alert action will be implemented on the domain name.
default action { allow | block | alert }
The default action for a DNS filtering profile is allow.
If the domain name does not match any blacklist, whitelist, or domain name category in the local cache and the remote query function is unavailable, the FW will take the default action.
redirect blocked dns requests enable
By default, DNS packets blocked by DNS filtering are not redirected.
If the domain name corresponding to a DNS request is blocked by DNS filtering and the redirection function is configured, the user is redirected to the IP address configured with the redirect ip command.
By default, the pre-defined DNS safe search function is disabled.
The DNS safe search function of the FW applies to scenarios where network administrators regulate Internet access behavior and enable safe search for all Internet access users in a unified manner. You can run the safe-search enable command in the DNS filtering profile view to filter search results of Bing, Google, and YouTube.
add query-name host-text answer { ip ip-address | cname cname } [ ttl ttl-time ]
By default, the user-defined DNS safe search function does not take effect. After you run this command to configure a rule of constructing DNS response packets for the user-defined DNS safe search function and reference the rule in a specific DNS filtering profile, the user-defined DNS safe search function takes effect.
The pre-defined DNS safe search function can only be implemented for three search engines: Bing, Google, and YouTube. In addition, parameters such as the IP address of the safe search server, CNAME, and TTL in DNS response packets cannot be configured. To address these issues, run this command to configure a rule of constructing DNS response packets. If the domain name in a DNS request packet matches the domain name in the request direction configured in a rule, the device constructs a DNS response packet with the IP address or CNAME field pointing to the safe search server based on the rule to implement the user-defined DNS safe search function. The pre-defined and user-defined DNS safe search functions are independent of each other, and the user-defined DNS safe search function takes precedence over the pre-defined DNS safe search function.
The new or modified security profile does not take effect until you run the engine configuration commit command to commit the configuration. To save time, you can submit the configuration after all operations on the profile are complete.
In the DNS filtering profile view, rename the DNS filtering profile and access the view of the new DNS filtering profile.
rename new-name
In the system view, copy the existing DNS filtering profile and access the view of the new DNS filtering profile.
profile type dns-filter copy old-name [ new-name ]