CLI: Example for Configuring DNS Category-based DNS Filtering
This section provides an example for configuring DNS category-based DNS filtering to control the access to domain names of a category. The URL category can be either a predefined category of the FW or a user-defined category.
Networking Requirements
As shown in Figure 1, the FW is deployed at the network border as the enterprise's gateway to implement DNS filtering on the DNS query requests submitted by users for accessing external networks.
The enterprise has R&D and marketing employees. The specific requirements on the employees are as follows:
- The R&D employees can access only education/science and search/portal websites from 09:00 to 17:00 every day.
- The marketing employees can access only education/science, search/portal, and social news websites and a specific domain name (www.example.net) from 09:00 to 17:00 every day.
Configuration Roadmap
- Set interface IP addresses and assign interfaces to security zones.
- Configure the DNS server and ensure that the FW can correctly resolve domain name sec.huawei.com.
- Configure user-defined category DNS_userdefine_category and add www.example.net to the user-defined domain name.
- Configure the remote query server to obtain the mappings between domain names and predefined categories. In this example, Education/Science, Search Engines/Portals, and Social Focus are all predefined categories.
- Configure two DNS filtering profiles, one for the R&D personnel and the other for the marketing personnel. Specify control actions for user-defined categories and predefined categories.
To ensure that remote query is available, configure a security policy and reference user-defined services in the security policy to allow the FW to access the scheduling center sec.huawei.com. The user-defined services include:
- TCP: The destination port number is 80 (for interaction with scheduling center sec.huawei.com).
- TCP: The destination port number is 12612 (for interaction with a dispatch server).
- UDP: The destination port number is 12600 (for interaction with a query server).
- Configure two security policies and reference time ranges, user groups, and DNS filtering profiles to control domain name access of different user groups within various time ranges.
Procedure
- Set interface IP addresses and assign interfaces to security
zones.
- Configure the DNS server.
[FW] dns resolve [FW] dns server 10.2.0.70
- Configure a user-defined DNS category.
[FW] dns-filter category user-defined name DNS_userdefine_category [FW-cate-user-defined-dns_userdefine_category] description DNS userdefine category of access control for marketing. [FW-cate-user-defined-dns_userdefine_category] add host www.example.net [FW-cate-user-defined-dns_userdefine_category] quit
- Configure remote query service parameters.
[FW] country CN [FW] url-filter query timeout time 3 action allow
- Configure DNS filtering profiles.
You can run the display url-filter category pre-defined command to query the mappings between the following predefined categories and IDs:- 17: Education/Science
- 15: Search Engines/Portals
- 5: Social Focus
- Configure schedules.
[FW] time-range time_range [FW-time-range-time_range] period-range 09:00:00 to 17:00:00 daily [FW-time-range-time_range] quit
- Configure user-defined services.
[FW] ip service-set service_sec_huawei_com type object [FW-object-service-set-service_sec_huawei_com] service protocol TCP source-port 0 to 65535 destination-port 80 [FW-object-service-set-service_sec_huawei_com] service protocol TCP source-port 0 to 65535 destination-port 12612 [FW-object-service-set-service_sec_huawei_com] service protocol UDP source-port 0 to 65535 destination-port 12600 [FW-object-service-set-service_sec_huawei_com] quit
- Configure security policies and reference
user-defined services to allow the FW to access the scheduling center sec.huawei.com.
[FW] security-policy [FW-policy-security] rule name policy_sec_huawei_com [FW-policy-security-rule-policy_sec_huawei_com] source-zone local [FW-policy-security-rule-policy_sec_huawei_com] destination-zone untrust [FW-policy-security-rule-policy_sec_huawei_com] service service_sec_huawei_com [FW-policy-security-rule-policy_sec_huawei_com] action permit [FW-policy-security-rule-policy_sec_huawei_com] quit
- Reference DNS filtering profiles in security policies.
In this example, user groups research (R&D employees) and marketing (marketing employees) to be referenced have been created.
- Commit the content security profiles.
[FW] engine configuration commit Info: The operation may last for several minutes, please wait. Info: DNS submitted configurations successfully. Info: Finish committing engine compiling.
Verification
Employees in the R&D department can access only websites in the Education/Science and Search Engines/Portals categories from 09:00 to 17:00 every day.
Marketing employees are allowed to access only websites in the Education/Science, Search Engines/Portals, and Social Focus categories and www.example.net and are blocked when attempting to access other websites, such as forum websites from 09:00 to 17:00 every day.
Configuration Scripts
# sysname FW # dns resolve dns server 10.2.0.70 # ip service-set service_sec_huawei_com type object service 0 protocol tcp source-port 0 to 65535 destination-port 80 service 1 protocol tcp source-port 0 to 65535 destination-port 12612 service 2 protocol udp source-port 0 to 65535 destination-port 12600 # country CN # time-range time_range period-range 09:00:00 to 17:00:00 daily # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # dns-filter category user-defined name DNS_userdefine_category description dns userdefine category of access control for marketing. add host www.example.net profile type dns-filter name profile_dns_research description DNS filter profile of web access control for research. category pre-defined subcategory-id 101 action block category pre-defined subcategory-id 102 action block category pre-defined subcategory-id 162 action block category pre-defined subcategory-id 163 action block category pre-defined subcategory-id 164 action block category pre-defined subcategory-id 165 action block category pre-defined subcategory-id 103 action block category pre-defined subcategory-id 166 action block category pre-defined subcategory-id 167 action block category pre-defined subcategory-id 168 action block category pre-defined subcategory-id 104 action block category pre-defined subcategory-id 169 action block category pre-defined subcategory-id 170 action block category pre-defined subcategory-id 105 action block category pre-defined subcategory-id 171 action block category pre-defined subcategory-id 172 action block category pre-defined subcategory-id 173 action block category pre-defined subcategory-id 174 action block category pre-defined subcategory-id 106 action block category pre-defined subcategory-id 108 action block category pre-defined subcategory-id 177 action block category pre-defined subcategory-id 251 action block category pre-defined subcategory-id 109 action block category pre-defined subcategory-id 110 action block category pre-defined subcategory-id 111 action block category pre-defined subcategory-id 112 action block category pre-defined subcategory-id 114 action block category pre-defined subcategory-id 115 action block category pre-defined subcategory-id 117 action block category pre-defined subcategory-id 178 action block category pre-defined subcategory-id 179 action block category pre-defined subcategory-id 180 action block category pre-defined subcategory-id 181 action block category pre-defined subcategory-id 118 action block category pre-defined subcategory-id 119 action block category pre-defined subcategory-id 122 action block category pre-defined subcategory-id 182 action block category pre-defined subcategory-id 183 action block category pre-defined subcategory-id 184 action block category pre-defined subcategory-id 247 action block category pre-defined subcategory-id 248 action block category pre-defined subcategory-id 249 action block category pre-defined subcategory-id 250 action block category pre-defined subcategory-id 123 action block category pre-defined subcategory-id 124 action block category pre-defined subcategory-id 186 action block category pre-defined subcategory-id 187 action block category pre-defined subcategory-id 188 action block category pre-defined subcategory-id 189 action block category pre-defined subcategory-id 125 action block category pre-defined subcategory-id 127 action block category pre-defined subcategory-id 128 action block category pre-defined subcategory-id 130 action block category pre-defined subcategory-id 131 action block category pre-defined subcategory-id 132 action block category pre-defined subcategory-id 197 action block category pre-defined subcategory-id 198 action block category pre-defined subcategory-id 199 action block category pre-defined subcategory-id 200 action block category pre-defined subcategory-id 227 action block category pre-defined subcategory-id 228 action block category pre-defined subcategory-id 133 action block category pre-defined subcategory-id 201 action block category pre-defined subcategory-id 202 action block category pre-defined subcategory-id 204 action block category pre-defined subcategory-id 205 action block category pre-defined subcategory-id 134 action block category pre-defined subcategory-id 135 action block category pre-defined subcategory-id 136 action block category pre-defined subcategory-id 137 action block category pre-defined subcategory-id 138 action block category pre-defined subcategory-id 139 action block category pre-defined subcategory-id 140 action block category pre-defined subcategory-id 141 action block category pre-defined subcategory-id 206 action block category pre-defined subcategory-id 207 action block category pre-defined subcategory-id 208 action block category pre-defined subcategory-id 209 action block category pre-defined subcategory-id 210 action block category pre-defined subcategory-id 229 action block category pre-defined subcategory-id 142 action block category pre-defined subcategory-id 143 action block category pre-defined subcategory-id 144 action block category pre-defined subcategory-id 145 action block category pre-defined subcategory-id 146 action block category pre-defined subcategory-id 147 action block category pre-defined subcategory-id 211 action block category pre-defined subcategory-id 212 action block category pre-defined subcategory-id 213 action block category pre-defined subcategory-id 240 action block category pre-defined subcategory-id 253 action block category pre-defined subcategory-id 149 action block category pre-defined subcategory-id 150 action block category pre-defined subcategory-id 214 action block category pre-defined subcategory-id 215 action block category pre-defined subcategory-id 216 action block category pre-defined subcategory-id 217 action block category pre-defined subcategory-id 151 action block category pre-defined subcategory-id 218 action block category pre-defined subcategory-id 219 action block category pre-defined subcategory-id 220 action block category pre-defined subcategory-id 221 action block category pre-defined subcategory-id 222 action block category pre-defined subcategory-id 223 action block category pre-defined subcategory-id 230 action block category pre-defined subcategory-id 252 action block category pre-defined subcategory-id 152 action block category pre-defined subcategory-id 153 action block category pre-defined subcategory-id 238 action block category pre-defined subcategory-id 154 action block category pre-defined subcategory-id 155 action block category pre-defined subcategory-id 224 action block category pre-defined subcategory-id 225 action block category pre-defined subcategory-id 156 action block category pre-defined subcategory-id 157 action block category pre-defined subcategory-id 158 action block category pre-defined subcategory-id 231 action block category pre-defined subcategory-id 232 action block category pre-defined subcategory-id 159 action block category pre-defined subcategory-id 254 action block category pre-defined subcategory-id 160 action block category pre-defined subcategory-id 161 action block category pre-defined subcategory-id 176 action block category pre-defined subcategory-id 226 action block category pre-defined subcategory-id 234 action block category pre-defined subcategory-id 235 action block category pre-defined subcategory-id 236 action block category pre-defined subcategory-id 237 action block category pre-defined subcategory-id 239 action block category pre-defined subcategory-id 241 action block category pre-defined subcategory-id 233 action block category user-defined name DNS_userdefine_category action block profile type dns-filter name profile_dns_marketing description DNS filter profile of web access control for marketing. category pre-defined subcategory-id 101 action block category pre-defined subcategory-id 102 action block category pre-defined subcategory-id 162 action block category pre-defined subcategory-id 163 action block category pre-defined subcategory-id 164 action block category pre-defined subcategory-id 165 action block category pre-defined subcategory-id 103 action block category pre-defined subcategory-id 166 action block category pre-defined subcategory-id 167 action block category pre-defined subcategory-id 168 action block category pre-defined subcategory-id 104 action block category pre-defined subcategory-id 169 action block category pre-defined subcategory-id 170 action block category pre-defined subcategory-id 106 action block category pre-defined subcategory-id 108 action block category pre-defined subcategory-id 177 action block category pre-defined subcategory-id 251 action block category pre-defined subcategory-id 109 action block category pre-defined subcategory-id 110 action block category pre-defined subcategory-id 111 action block category pre-defined subcategory-id 112 action block category pre-defined subcategory-id 114 action block category pre-defined subcategory-id 115 action block category pre-defined subcategory-id 117 action block category pre-defined subcategory-id 178 action block category pre-defined subcategory-id 179 action block category pre-defined subcategory-id 180 action block category pre-defined subcategory-id 181 action block category pre-defined subcategory-id 118 action block category pre-defined subcategory-id 119 action block category pre-defined subcategory-id 122 action block category pre-defined subcategory-id 182 action block category pre-defined subcategory-id 183 action block category pre-defined subcategory-id 184 action block category pre-defined subcategory-id 247 action block category pre-defined subcategory-id 248 action block category pre-defined subcategory-id 249 action block category pre-defined subcategory-id 250 action block category pre-defined subcategory-id 123 action block category pre-defined subcategory-id 124 action block category pre-defined subcategory-id 186 action block category pre-defined subcategory-id 187 action block category pre-defined subcategory-id 188 action block category pre-defined subcategory-id 189 action block category pre-defined subcategory-id 125 action block category pre-defined subcategory-id 127 action block category pre-defined subcategory-id 128 action block category pre-defined subcategory-id 130 action block category pre-defined subcategory-id 131 action block category pre-defined subcategory-id 132 action block category pre-defined subcategory-id 197 action block category pre-defined subcategory-id 198 action block category pre-defined subcategory-id 199 action block category pre-defined subcategory-id 200 action block category pre-defined subcategory-id 227 action block category pre-defined subcategory-id 228 action block category pre-defined subcategory-id 133 action block category pre-defined subcategory-id 201 action block category pre-defined subcategory-id 202 action block category pre-defined subcategory-id 204 action block category pre-defined subcategory-id 205 action block category pre-defined subcategory-id 134 action block category pre-defined subcategory-id 135 action block category pre-defined subcategory-id 136 action block category pre-defined subcategory-id 137 action block category pre-defined subcategory-id 138 action block category pre-defined subcategory-id 139 action block category pre-defined subcategory-id 140 action block category pre-defined subcategory-id 141 action block category pre-defined subcategory-id 206 action block category pre-defined subcategory-id 207 action block category pre-defined subcategory-id 208 action block category pre-defined subcategory-id 209 action block category pre-defined subcategory-id 210 action block category pre-defined subcategory-id 229 action block category pre-defined subcategory-id 142 action block category pre-defined subcategory-id 143 action block category pre-defined subcategory-id 144 action block category pre-defined subcategory-id 145 action block category pre-defined subcategory-id 146 action block category pre-defined subcategory-id 147 action block category pre-defined subcategory-id 211 action block category pre-defined subcategory-id 212 action block category pre-defined subcategory-id 213 action block category pre-defined subcategory-id 240 action block category pre-defined subcategory-id 253 action block category pre-defined subcategory-id 149 action block category pre-defined subcategory-id 150 action block category pre-defined subcategory-id 214 action block category pre-defined subcategory-id 215 action block category pre-defined subcategory-id 216 action block category pre-defined subcategory-id 217 action block category pre-defined subcategory-id 151 action block category pre-defined subcategory-id 218 action block category pre-defined subcategory-id 219 action block category pre-defined subcategory-id 220 action block category pre-defined subcategory-id 221 action block category pre-defined subcategory-id 222 action block category pre-defined subcategory-id 223 action block category pre-defined subcategory-id 230 action block category pre-defined subcategory-id 252 action block category pre-defined subcategory-id 152 action block category pre-defined subcategory-id 153 action block category pre-defined subcategory-id 238 action block category pre-defined subcategory-id 154 action block category pre-defined subcategory-id 155 action block category pre-defined subcategory-id 224 action block category pre-defined subcategory-id 225 action block category pre-defined subcategory-id 156 action block category pre-defined subcategory-id 157 action block category pre-defined subcategory-id 158 action block category pre-defined subcategory-id 231 action block category pre-defined subcategory-id 232 action block category pre-defined subcategory-id 159 action block category pre-defined subcategory-id 254 action block category pre-defined subcategory-id 160 action block category pre-defined subcategory-id 161 action block category pre-defined subcategory-id 176 action block category pre-defined subcategory-id 226 action block category pre-defined subcategory-id 234 action block category pre-defined subcategory-id 235 action block category pre-defined subcategory-id 236 action block category pre-defined subcategory-id 237 action block category pre-defined subcategory-id 239 action block category pre-defined subcategory-id 241 action block category pre-defined subcategory-id 233 action block # security-policy rule name policy_sec_huawei_com source-zone local destination-zone untrust service service_sec_huawei_com action permit rule name policy_sec_research description Security policy of web access protect for research. source-zone trust destination-zone untrust user user-group /default/research time-range time_range profile dns-filter profile_dns_research action permit rule name policy_sec_marketing description Security policy of web access protect for marketing. source-zone trust destination-zone untrust user user-group /default/marketing time-range time_range profile dns-filter profile_dns_marketing action permit