How do I configure the DNS Control policy?

You can define rules that control DNS requests and responses. The DNS Control policy has default rules that allow all DNS traffic. The default rules always maintain the lowest precedence. You can modify their actions, but you cannot delete them.

Before Adding or Modifying Rules for the DNS Control Policy

Ensure that you have configured as necessary the resources that the policies will reference:

How Do I Modify the Default Rules?

To modify the default rule:

  1. Go to Policy > Firewall > DNS Control.
  2. Point to the default rule and click the Edit icon.
  1. Choose the Action for the default rule.
    • Allow: Allows the DNS requests and responses.
    • Block: Silently block all DNS requests and responses.
  1. Click Save and activate the change.

How Do I Create a New DNS Control Rule?

  1. Go to Policy > Firewall > DNS Control.
  2. Click Add.
  1. Enter the rule attributes:
    • The firewall automatically assigns the Rule Order number. Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Choose your Admin Rank. This option appears if you enabled Admin Ranking in the Advanced Settings page.
      Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • The firewall automatically creates a Rule Name, which you can change. The maximum length is 31 characters. (Avoid using the names of rules that were previously deleted. If you do, the service will display the logs for the deleted rule and the new rule when you view the logs.)
    • By default, Rule Status shows that the rule is enabled. An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  2. Define the criteria:
    • In the Who, Where, & When tab, you can do the following:
    • Users: Select Any to select all items, or select specific items. You can also search for items or click the Add icon to add an item.
      Notes:
      • If you want to use make a selection here, you must ensure your internal DNS servers are configured as iterative servers. For more information, see Configuring Internal DNS Servers to Allow Zscaler to Identify Users.
      • If you've enabled policy for unauthenticated users under Advanced Settings, and want to apply this rule to any unauthenticated traffic, see How do I configure the policy for unauthenticated traffic?
    • Groups: Select Any to select all items, or select specific items. You can also search for items or click the Add icon to add an item.
      • If you want to use make a selection here, you must ensure your internal DNS servers are configured as iterative servers. For more information, see Configuring Internal DNS Servers to Allow Zscaler to Identify Users.
    • Departments: Select Any to select all items, or select specific items. You can also search for items or click the Add icon to add an item.  If you've enabled policy for unauthenticated users under Advanced Settings, and want to apply this rule to any unauthenticated traffic, see How do I configure the policy for unauthenticated traffic?
      • If you want to use make a selection here, you must ensure your internal DNS servers are configured as iterative servers. For more information, see Configuring Internal DNS Servers to Allow Zscaler to Identify Users.
      • If you've enabled policy for unauthenticated users under Advanced Settings, and want to apply this rule to any unauthenticated traffic, see How do I configure the policy for unauthenticated traffic?
    • Locations: Select Any to select all items, or select specific items. You can also search for items or click the Add icon to add an item.
    • Time: Select the time interval during which the rule applies. Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  3. In the Source IPs tab, you can do the following:
    • Select any number of Source IP Groups that you want to control with this rule.
    • To specify IP addresses, enter any of the following:
      • An individual IP address, such as 192.0.2.1.
      • A subnet, such as 192.0.2.0/24.
      • An IP address range, such as 192.0.2.1 - 192..0.2.5
  4. In the Destination/Resolved IPs tab, you can do the following:
    • Select any number of Destination Server IP Groups that you want to control this rule.
    • To specify IP addresses, enter any of the following:
      • An individual IP address, such as 192.0.2.1.
      • A subnet, such as 192.0.2.0/24.
      • An IP address range, such as 192.0.2.1 - 192..0.2.5
    • From the Resolved IP-Based Countries menu, to identify destinations based on the location of a server, select Any to apply the rule to all countries or select countries to which you want to control traffic .
    • From the Requested Domains/Resolved IP Categories menu, to identify destinations based on the URL category of the domain, select any number of categories.
  5. Choose the Action that the Zscaler service takes when a session matches the criteria.
    • Allow: Allows the DNS requests and responses. All allowed DNS requests automatically go to a trusted DNS server configured on the ZEN. If you want to override this behavior, you can configure a DNAT policy to match DNS traffic.
    • Block: Silently block all DNS requests and responses.
    • Redirect Request: Redirects the DNS requests to the specified DNS server. This can be applied only to the request phase of a DNS transaction.
      In the DNS Server IP Address field, enter the IP address of the DNS server to which the DNS request is redirected.
    • Redirect Response: Replace the IP address in the response with the specified IP address. This is applicable only to the response phase of a DNS transaction.
      In the IP Address field, enter the IP address of the DNS server to which the DNS request is redirected.

      The Zscaler firewall service logs all sessions of the rule individually, except HTTP(S). This option cannot be changed.
  6. Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.

7a

For instructions on how to configure a NAT Control policy rule, see How do I add rules for the NAT Control policy?

You must complete the fields under each tab (Who, Where, & When, Services & Applications, Source IPs, and Destination IPs), so that the rule captures the desired DNS traffic. Under Action, in DNAT IP Address or FQDN and DNAT Port enter information for the server that you want the allowed DNS traffic sent to. If you leave the DNAT IP Address or FQDN field blank, the service forwards DNS requests to the DNS server specified by the destination IP in the client packet.

  1. Click Save and activate the change.

Next Steps

After adding rules to the DNS Control Policy, you may also need to do the following before enabling firewall for your locations.