Limitations and Precautions for DNS Filtering

Hardware Requirements

The DNS filtering function is supported by all models.

License Requirements

The DNS category remote query function is URL remote query license-controlled. For details about the license control scopes, see the License Control Items.

Component package Requirements

To use the DNS category remote query function, you need to load the URL remote query component package. For details about the component package, see Dynamic Loading.

Limitations

• DNS traffic must be sent to the IAE engine to implement DNS filtering. If a DNS transparent proxy policy is configured on the FW, DNS traffic may bypass the IAE engine and be forwarded by the device. As a result, the configured DNS filtering function fails.

• When a browser is used to access the Internet through a proxy server that deployed between the FW and web server, the DNS filtering does not take effect.
• DNS filtering supports IPv4 and IPv6.
• DNS filtering takes effect only when the DNS resolution type is A (resolve a domain into a specific IPv4 address) or AAAA (resolve a domain name into a specific IPv6 address). However, when the DNS resolution type is AAAA, the redirection and safe search functions of DNS filtering do not take effect. Specifically, when the domain name of a DNS request is resolved into an IPv6 address, the DNS request is not redirected or processed by safe search.

Precautions

• User-defined DNS categories have a higher priority than predefined DNS categories.
• If the FW is deployed between two routers, and the routers detect each other through BFD, you are advised to properly prolong the BFD time (longer than 100 ms is recommended) to prevent BFD flapping resulting from occasional network congestion.
• If the DNS proxy is enabled on the device and the server alias CNAME specified by the user-defined DNS security search function exists in the domain name list of the static DNS entry of the device, the CNAME of the request packet will matche the static DNS entry after being modified by the user-defined DNS security search function, and the device will directly return the IP address resolved in the static DNS table, request packets will not be sent to the real DNS server. In this scenario, the request initiator cannot obtain the real server IP address, and the obtained IP address may be different from the real server IP address.
• After the user-defined DNS security search function is configured, you need to clear the historical data of the browser on the PC client and run the ipconfig/flushdns CMD command to clear the DNS resolution list of the PC. The user-defined DNS security search function takes effect immediately.