Topic
This article provides best practices when configuring DNS in ControlOne.
Environment
- Cytracom ControlOne
Description
Recommended DNS settings
Accessing DNS settings
1. In the Network Map, click the Zone to which the DNS settings will apply.
2. The Configuration Options panel will open on the right-hand side of the screen. Click the DNS tab.
Recommended DNS settings
Cytracom recommends the following DNS settings for general use:
- Mode: Auto
-
Advanced: Cytracom recommends using the Auto setting for most applications. You do not need to enter a DNS server primary or secondary address the way you would on other types of networking equipment. ControlOne assigns these addresses automatically.
If you feel your environment requires a specified DNS server entry, contact Cytracom Technical Support for assistance. - Advanced Gateway: leave unchecked.
Figure 1: Recommended DNS settings (click to enlarge)
ControlOne and internal DNS servers
If you currently have a DNS server on your network Cytracom recommends a hybrid approach, in which:
- Your DNS server handles DNS for resources on your domain.
- The ControlOne bridge handles DNS requests for public resources.
You can set this configuration up in the ControlOne Portal using conditional forwards.
Conditional forwards
A DNS Conditional forward is a setting on the ControlOne Bridge that forwards all DNS requests for a specific DNS domain to the authoritative server of your choosing.
For example, if you have a local domain controller running DNS service with zones for 'yourcompany.local', a conditional forward will instruct ControlOne to forward any DNS lookups for that domain to your local domain controller. This gives you the best combination of DNS functionality, allowing fast global DNS resolution and local domain resolution. See Cytracom ControlOne: Conditional forwards to learn more.
Figure 2: Conditional forward flow on a ControlOne Bridge (click to enlarge)
DNS and the ControlOne Agent
The ControlOne Agent is a full-tunnel connectivity solution. All Internet traffic is sent up the tunnel to the Cytracom platform. Traffic to devices on the network behind the bridge is tunneled to those locations, and all other Internet traffic is directly sent up from the cloud-based firewall.
- DNS queries for all Internet-based resources are handled by our fast caching-resolving nameservers.
- DNS queries for on-prem devices being advertised via local DNS servers are sent (via Conditional Forward) to those servers.
If you log in using the ControlOne Agent, make sure the agent can reach the resources within your site zones. The agent must be able to reach your site zone resources before it will successfully log you in.
Figure 3: DNS and the ControlOne Agent (click to enlarge)
Additional Resources
Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.