Resolve Public and Local DNS Queries
Before configuring endpoints to utilize the VAs for DNS traffic, ensure that the VAs are capable of resolving public and local DNS queries. The simplest test is to open a command prompt from a local endpoint and run the nslookup command:
nslookup opendns.com <VA IP Address>
nslookup opendns.com. 192.168.10.1
Server: 192.168.10.1
Address: 192.168.10.1#53
Non-authoritative answer:
Name: opendns.com
Address: 67.215.92.218
- If the lookup times out, confirm that you have met firewall requirements. For more information, see Prerequisites for Virtual Appliances.
- If the test succeeds, perform the same test again, but this time with a local resource, such as a domain controller or mail server.
nslookup dc01.localdomain.corp. <VA IP Address>
nslookup dc01.localdomain.corp.
Server: 192.168.10.1
Address: 192.168.10.1#53
Non-authoritative answer:
Name: dc01.localdomain.corp
Address: 192.168.10.47
If the result is something other than expected, ensure the domain was added as an internal domain in Secure Access.
When deploying the VA, we recommend the following for DNS configuration on any internal DNS servers:
- On the DNS server adapter settings, use the loopback address (127.0.0.1) so that the server will use itself for DNS resolution. The second entry should be another internal DNS server.
- On the forwarder settings of the DNS server, we recommend using the Secure Access Anycast IPs (208.67.222.222/208.67.220.220) rather than the virtual appliance IPs. This limits the ability to see the source IP when viewing reports but avoids any problems with DNS loops if there is a misconfiguration on either the VA or internal DNS server.
- If the server also acts as a mail server, the best option is to point to your ISP's DNS servers or other recursive resolvers such as those provided by your ISP.