DHCP & DNS

The interfaces page within DHCP & DNS Configuration enables network administrators to select interfaces on which the iShield must respond to DHCP & DNS requests.

When configuring a new LAN network it is considered best practice to check the interface for the newly configured LAN network. If any VLANs have been configured they should be checked too.

If an interface is left unchecked; the iShield will not respond to any DHCP or DNS requests received inbound on the interface in question. 

The iShield is intended to manage all LAN network ranges, including DHCP and DNS, however, it is not a requirement. If a third party server such as a Windows server running as a Domain Controller must be responsible for DHCP lease management and DNS management, the iShield can be configured to relay DHCP and DNS requests to the server in question. DHCP and DNS relays will be covered in a module later in this document.

DHCP Ranges within the DHCP & DNS Configuration module enables network administrators to configure new DHCP scopes to lease IPv4 addresses to local nodes requesting IP addresses dynamically. 

DHCP is considered best practice to manage networks as it reduces the risk of encountering duplicate IP addresses. Duplicate IP addresses are typically encountered in networks where a static IP address has been assigned to a local node such as a printer or server, where the IP address is also found within the DHCP scope configured.

i.e. 

DHCP scope/range: 192.168.1.100 - 192.168.1.200

Server Static IP: 192.168.1.150

The DHCP server is unaware of the static IP assigned to the server in most instances and may lease out the address to an internal network node requesting an IP address of 192.168.1.150. When the new DHCP node is leased the address and we attempt to communicate with the server, the traffic will intermittently reach the server resulting in persistent broken connections and unavailable services (depending on the services enabled and being utilised on the server, such as DNS). 

It is considered best practice to configure static IP address outside of the DHCP scope to reduce the risk of duplicate IP addresses, it is also recommended that network administrators maintain a configuration management and change document to keep track of static IP assignment and other critical network configuration information.

The DHCP ranges configured on the iShield will automatically lease out IP addresses over the interface configured with a gateway corresponding to the network range in question.

i.e. ether2 gateway = 192.168.1.254

DHCP range = 192.168.1.100 - 192.168.1.200

Devices connecting on ether2 will be leased IP addresses within the 192.168.1.100 - 192.168.1.200 network range.

There is no software defined limitation to the number of networks that iShield can run, the only limitation would be hardware related depending on the number of users we are expecting to connect to the network.

To configure a new DHCP range, select the "Add DHCP Range" button.

A dialog box with the title "Add DHCP Range" will appear.

The following parameters will be requested;

1. Start IP - this value represents the first leaseable IP address within the DHCP range. i.e. 192.168.1.100. New DHCP leases will start from the x.100 address and run up to the end IP.

2. End IP - this value represents the last leaseable IP address within the DHCP range. i.e. 192.168.1.200. DHCP leases will not be issued beyond this IP address. It is important to note that larger networks should typically be configured with a larger subnet size to accommodate more nodes on a single network range.

3. Subnet - this value represents the size of the network. i.e. 255.255.255.0/24. This subnet is considered a classless class C subnet and will allow a maximum of 254 hosts to connect to the network. Typically it is not considered best practice to lease out the entire network range as it does not cater to static IP management. Static IP addresses should be considered outside of the DHCP scope to properly manage the network.

4. Lease Time - this value represents the lifespan of a DHCP lease. The industry standard for DHCP lease expiry is 12 hours, however, the iShield enables network administrators to customize this value on a per-range basis. This may aid in managing networks with high volumes of foot traffic that require more frequent recycling of IP addresses to accommodate new devices connecting. The default value is 12 hours and it is not a requirement to set this when configuring a new network range, custom values are optional.

In cases where the iShield is not required to manage DHCP for a network, the network administrator does not need to configure a DHCP range. Instead, only check the inbound interface on which the iShield must respond to DHCP & DNS requests to accommodate DHCP relays and DNS if required. Simple networks with a single network range do not require DHCP relays, the server will simply respond to DHCP requests when local nodes broadcast on UDP 68 a server will respond with an offer from UDP 67 and the DHCP IP assignment conversation will commence.

DHCP relay within the DHCP & DNS Configuration module enables network administrators to relay DHCP requests received by iShield to a third-party DHCP server based on a predicate.

This feature is typically used in domain-joined environments where the local server managing the networks DHCP ranges must be used to lease out addresses to the nodes connecting to the local network.

Take Note; the iShield cannot relay DHCP requests if the Interfaces page has not been configured to respond to DHCP requests on the relevant inbound interface.

To configure a new DHCP relay, click the "Add DHCP Relay" button.

A dialog box with the title "Add DHCP Relay" will appear. The window will accept the following parameters;

1. Listening Interface - this value represents the interface listening for DHCP broadcasts. If a broadcast is received the iShield will relay the DHCP request to the server configured to lease DHCP addresses for the local network.

2. DHCP Server IP: this value represents the server responsible for negotiating the IP address with the network node. i.e. DHCP server IP 192.168.10.250.

3. DHCP Server Interface - this value represents the interface where the server can be found. This ensures that the interface is listening for DHCP requests and that the server can respond when the relay takes place.

DHCP relay is commonly used in large networks where there are numerous Virtual LAN Networks that need to be managed by a third party. Typically this is to ensure appropriate local domain management and simplify DNS transactions with the third party server.

DHCP Reservations within the DHCP & DNS Configuration module enables network administrators to reserve IP addresses for a local network device.

DHCP reservation is used in cases where a static IP address has been assigned to a local network device where the IP overlaps with the DHCP range in question. Although this will isolate the IP address in question it will have no impact on the local node as the device will not send DHCP broadcasts due it being configured with a static IP address.

Another use case for DHCP reservations is to reserve IP addresses for devices that otherwise do not cater to manual IP configuration, or, if the device is unreachable physically or remotely to alter the IP address within the device's network configuration settings. 

To configure a DHCP reservation select the "+" button next to a device with an existing lease.

A dialog box will appear and will accept the following parameters;

1. MAC Address - this value represents the physical address or MAC address of the node for which the reservation will be configured. This field will be automatically populated when clicking on the "+" button under the list of active DHCP Leases.

2. IP Address - this value represents the IP address to be bound to the physical address configured/captured above. The IP address can be altered now, however, the current DHCP lease must first expire before the new IP address will be leased and reserved to the node in question. Take note that if the IP address is altered at this stage, and if the IP address assigned has already been leased to another device, both leases must first expire before the new IP lease and reservation comes into effect.

3. Description - this field allows network administrators to set a friendly name or text-based description related to the reason for the reservation. Ensure that the description makes sense and shows the intention of the reservation for other network administrators to understand the reason for the reservation at a glance when reviewing the iShield configuration.

DHCP Reservations are listed below the list of recent/active DHCP leases. The DHCP Reservations list can be edited to update reservation MAC addresses, IP addresses, and descriptions.

DHCP reservations can be removed or updated as required by any user with Configuration Mode access.

DHCP Reservations can also be manually created by clicking on the "Add DHCP Reservation" button. Take note that manually adding a new reservation requires that you have the following information on hand to complete the reservation;

1. Physical Address / MAC Address

2. IP Address

3. Description (optional)

DHCP Options within the DHCP & DNS Configuration module enables network administrators to configure DHCP options to enhance network management ability and simplify management of the network, depending on the option configured.

The most common use case for DHCP options is to define the DNS server list for local network nodes. Configuring the DNS server DHCP option forces all DHCP devices to use the list of comma delimited DNS servers in the order that they have been configured starting from left to right.

i.e.

192.168.10.250,8.8.8.8

this configuration ensures that the local DNS server is used as primary DNS to resolve local hostnames. The second DNS entry represents the failover DNS server should the primary server be unresponsive. Take note that using a public DNS server will not facilitate local name resolution, a dedicated resolver must be leveraged if local hostname resolution is required.

To configure a new DHCP Option, click the "Add DHCP Option" button.

A dialog box will appear and will accept the following parameters;

1. DHCP Option - this value represents the pre-defined DHCP option or custom DHCP option that the network administrator needs to configure for issuing the new parameter over DHCP. i.e. dns-server DNS Servers

2. DHCP Parameter - this value represents the parameters to be issued to DHCP clients. This value will vary depending on the DHCP option configured, in our case we will configure the dns-server DNS Servers DHCP option from within the DHCP option list. The DNS server IP addresses must be entered and separated by a comma. i.e. 192.168.10.250,8.8.8.8

Take note that DHCP options are not required. This tool will enhance network management and ensure that a persistent configuration appears across all DHCP network nodes. 

Take note that if the iShield is not responsible for DHCP lease assignment, the DHCP Options configured will not have an impact on any of the devices connecting to the network in question.

DNS Servers within the DHCP & DNS Configuration module enables network administrators to configure their preferred public DNS resolution method.

There are two options for public DNS server configuration on the iShield as per the below list;

1. Automatic DNS Selection - The iShield will automatically test the DNS servers from upstream routers, PPPoE connections, and the list of default DNS servers (8.8.8.8, 8.8.4.4). The DNS servers that respond to DNS queries will be used in order of performance.

2. Manual DNS Selection - The iShield will only make use of the DNS servers configured by the network administrator (default: 8.8.8.8, 8.8.4.4). These DNS servers will be used in the order in which they appear within the UI. Take note that this list must only stipulate public DNS servers, configuring a local DNS resolve in this list may result in a DNS loop.

DNS Options within the DHCP & DNS Configuration module enables network administrators to accomplish a variety of goals from filtering explicit content online to enforcing a DNS forward. Each feature has been covered in detail below.

Disable DNS Negative Caching

DNS Negative Caching aims to speeds up DNS resolution by caching negative responses related to past DNS queries. The pitfall of this feature is that cached DNS queries may result in false negatives when browsing to websites that have been previously cached due to a negative DNS result at the time of the initial DNS query. 

Disabling DNS Negative caching may improve the user experience if there is a persistent issue encountered on the network related to false negatives when querying some website domains.

DNS Force Safe Searching

DNS Force Safe Searching enables network administrators to filter explicit content online by enforcing the safe search feature on all supported search engines.

The following search engines are supported by the safe search feature;

• Google

• Bing

• DuckDuckGo

It is important to note that this is a DNS feature and requires that the iShield handle DNS queries for your network. If a third-party DNS server is used the iShield cannot enforce the safe search feature and the search engine content filter may display explicit content to the user.

In scenarios where users are bypassing the DNS Force Safe Search feature by configuring public DNS servers statically, we can configure firewall rules to hijack DNS queries and force all UDP 53 connections to terminate at the iShield regardless of local node configuration. Contact our support team for more information regarding this rule.

Disable DNS over HTTPS/TLS (DOH/DOT)

DNS over HTTPS/TLS is a protocol used to secure user privacy by executing DNS queries over the HTTPS/TLS protocol. DNS queries are encrypted between the DoH/DoT host and server preventing eavesdropping and DNS data manipulation by MITM (Man In The Middle) attacks.

The nature of next-generation firewalls is that they effectively operate in the MITM space in a controlled fashion to identify and filter traffic based on IDS/IPS and inline Antivirus signatures. With DoH and DoT enabled we are note able to monitor or filter traffic impacting the network administrators ability to fully identify user's website access history, filter unproductive websites, and filter potentially harmful traffic.

By default, iShield will disable DoH and DoT (DNS over HTTPS and DNS over TLS) to ensure that we can report on your users internet activity, and block unproductive websites.

DNS Address Redirect

The DNS Address Redirect feature enables network administrators to hijack queries for DNS hostnames and point them to a third-party IP address/server. 

This feature is used in cases where customers need to access an internal server based on hostname but do not have a dedicated DNS resolver. The iShield will facilitate the connection based on hostname by hijacking the DNS query and pointing it to the server IP address stipulated.

To configure a new DNS Address Redirect, click the "Add Address Redirect" button. 

A dialog box will appear and accept the following parameters;

1. Hostname - this value represents the host to which we intend on connecting to. This hostname can be a FQDN such as mail.google.com, a domain name such as google.com, or a hostname such as google.

2. IP Address - this value represents the host IP address that will receive the connection. This IP address can be defined as a public or a private IP address depending on the use case.

Take note that iShield does not function as a DNS resolver. Configuring a DNS Address Redirect will only affect users directly connected to any of the iShield local broadcast domains. Remote VPN users cannot make use of the the DNS Address Redirect values remotely.

Domain DNS Forward

The Domain DNS Forward feature enables network administrators to forward local DNS queries to a dedicated resolver. 

In order for this feature to work, the iShield must respond to DNS queries and must act as the primary DNS server in the local DNS server priority list. The iShield will forward DNS queries to the local DNS server for queries related to the local domain name. i.e. customer.local, customer.co.za.

In cases where a third-party DNS server is being used as the primary DNS forwarder/resolver, it will be the responsibility of the third party to ensure DNS and forward DNS queries to the appropriate server depending on the use case.

To configure a Domain DNS Forward, click on the "Add Domain Forward Lookup" button.

A dialog box will appear with the title "Add DNS Domain Forward" and will accept the following parameters;

1. Domain - this value represents the domain name for which the DNS forward will be configured. i.e. customer.local

2. DNS Server - this value represents the IP address of the server that will accept and respond to the DNS query. i.e. 192.168.10.250