Question on Local DNS records feature


#1

Question about the Local DNS records feature at Network -> Network settings

Does a host name of, for example, cbs.com also cover x.cbs.com and y.cbs.com and ftp.cbs.com and www.cbs.com?

This is the way things work for both outgoing firewall rules based on a domain name and also for web blocking. Thank you.


#2

Hi Michael,

Local DNS records, outgoing firewall rules and web blocking are three different feature for the device.

Local DNS records is just simple entry records that you can use for local/LAN server resolve from domain name to IP address. Some users may defined the local DNS records for public server that doesn’t register with public domain name. For server registered with public domain name, usually we won’t add the record here instead if we let the forwarding DNS service send the request to public DNS server for the domain name resolve. Local DNS records will match back exactly the domain name defined and you shouldn’t have the wildcards local records.

Outgoing firewall rules based on a domain name
The public server IP addresses for the defined domain name in the firewall rules or outbound policy will be learn from DNS query from the LAN network that pass-though Peplink devices,

If Domain Name is chosen from the firewall and a domain name, such as foobar.com, is entered, any outgoing accesses to foobar.com and .foobar.com will match this criterion. You may enter a wildcard (.) at the end of a domain name to match any host with a name having the domain name in the middle. If you enter foobar.*, for example, then www.foobar.com, www.foobar.co.jp, or foobar.co.uk will also match. Placing wildcards in any other position is not supported.

Tip: If you are trying to block outgoing HTTP access to a website using a domain name, please consider using Web Blocking.

Web blocking
Web blocking is block base on the domains that the user is browsing instead if server IP addresses. Web blocking is layer 7 service that will monitor & block the selected domain.

Thank you


Blocking an entire TLD
#3

You are correct in assuming that I was considering local DNS records as a way to block access to a domain. Specifically, I was thinking of assigning a bad domain to 127.0.0.1 to block it. Trying to weigh the pros/cons of this vs. Web blocking vs. an outgoing firewall rule.

Local DNS Records
If I understood correctly, to block “cbs.com” for example, I would need to add local DNS records for
x.cbs.com and y.cbs.com and z.cbs.com and mail.cbs.com and ftp.cbs.com and www.cbs.com
This is obviously, an accident waiting to happen as there is no way to know every sub-domain of cbs.com
Plus, its a lot of work.

**Outgoing firewall rule **
If I understood correctly, blocking “cbs.com” would block all the six examples above.

Web blocking
What is the advantage to this? It seems to only block HTTP/HTTPS while the other two methods block *all *protocols. True?

Thank you in advance.


#4

Hi Machael,

This is correct.

This is correct. Anyway, you might experience unable to block certain domains with the defined firewall rules. A good example will be youtube.com. The reason is Youtube will connect to other domains (Youtube.com, Ytimg.com, Ytimg.l.google.com and etc) backend when you launched the browser. Hence, you need to know the hidden domains if you are using firewall rule.

This is used to block web browsing traffic (HTTP/HTTPS). Please take note certain application is using TCP 80, 443, we don’t categorize this is the web browsing traffic. We do have the pre-defined URL links based on category. Hence, you just need to choose based on the provided categories and block the web access.

Hope this help.


#5

Wow, great point. Thanks for bringing it up.