DHCP & DNS

From the menu, select DHCP & DNS Configuration

The Interfaces page allows network administrators to define which interfaces the iShield should use to respond to DHCP and DNS requests.

When configuring a new LAN network, it is necessary to ensure that the interface is Enabled to respond to DNS and DHCP requests. Any VLAN interfaces configured on a LAN interface should also be enabled.

If an interface is not selected, the iShield will not respond to DHCP or DNS requests received on that interface.

Although the iShield is designed to manage all LAN ranges—including DHCP and DNS—it is not mandatory. In environments where DHCP/DNS services are provided by a third-party server (e.g., a Windows Domain Controller), the iShield can be configured to relay DHCP and DNS requests to that server. DHCP and DNS relay configuration is covered in a later section.

The DHCP Ranges section allows administrators to create and manage DHCP scopes that issue IPv4 addresses to devices on the local network.

DHCP is considered best practice as it helps prevent duplicate IP addresses, which often occur when static IPs overlap with DHCP scopes. Consider the following:

• DHCP Range: 192.168.1.100 – 192.168.1.200

• Static Server IP: 192.168.1.150 (inside the DHCP range – not recommended)

In such cases, the DHCP server may inadvertently lease an IP already statically configured, leading to network instability and intermittent connectivity issues.

Best Practice:

Assign static IPs outside the DHCP range, and maintain a configuration/change management documentation to track static assignments.

The iShield will automatically lease IP addresses on the interface whose gateway matches the network range.

Example:

• Interface gateway: 192.168.1.254

• DHCP range: 192.168.1.100 – 192.168.1.200

• Result: All devices on that interface will be assigned addresses within the configured scope.

There is no software-defined limit to how many networks iShield can support; limitations are purely hardware based.

Creating a DHCP Range

• Click Add DHCP Range.

• Complete the Add DHCP Range dialog:

  • Start IP: the first leaseable IP in the range (e.g., 192.168.1.100).

  • End IP: the last leaseable IP (e.g., 192.168.1.200).

  • Subnet: network mask (e.g., 255.255.255.0/24).

  • Lease Time: Duration a lease remains valid. Default is 12 hours; configurable. Useful for high-turnover networks.

If the iShield is not managing DHCP for a network, administrators may skip DHCP range configuration and simply enable the correct interface for DHCP/DNS responses. In such cases, DHCP relays or external servers will process DHCP broadcasts. 

The DHCP Relay section enables the iShield to forward DHCP requests to a third-party DHCP server.

This feature is common in domain-joined networks where a Windows Server manages DHCP and DNS.

Important: The relaying interface must be enabled under the Interfaces page, or the iShield will not forward incoming DHCP broadcasts.

Creating a DHCP Relay

• Click Add DHCP Relay.

• Complete the dialog:

• Listening Interface: Interface where DHCP broadcasts are received.

• DHCP Server IP: Address of the third-party DHCP server (e.g., 192.168.10.250).

• DHCP Server Interface: Interface used to reach the third-party DHCP server.

DHCP Reservations allow network administrators to permanently assign a specific IP address to a device based on its MAC address.

Reservations are useful when:

• A device has a static IP that overlaps with the DHCP range (preventing conflicts).

• A device does not support manual IP configuration.

• A device is physically inaccessible, making static configuration impractical.

Creating a Reservation from an Existing Lease:

• Click the + icon next to an active lease.

• Complete the dialog:

  • MAC Address: Automatically populated from the lease.

  • IP Address: The reserved IP. Changes take effect after the current lease expires.

  • Description: Optional

If the new reservation IP is currently leased to another device, both leases must expire before the reservation becomes active.

Reservations appear below the Active Leases list and can be edited or removed by administrators with Configuration Mode access.

Creating a Manual Reservation

Click Add DHCP Reservation and enter:

• MAC Address: The device MAC address.

• IP Address: The reserved IP. Changes take effect after the current lease expires.

• Description: Optional

DHCP Options allow administrators to extend DHCP configuration parameters. Common options might include Network Time Protocol (NTP) or domain-search options.

A common DHCP option used in domain-joined or centrally managed networks is the domain-search option.

This option allows administrators to define search domains that devices should append automatically when resolving hostnames. 

Example:

domain.local

This configuration ensures:

• Devices will automatically append domain.local when resolving short hostnames.

• Users can access internal resources without typing the full FQDN (e.g., typing server1 will resolve as server1.domain.local).

• Improves usability and consistency in environments where internal servers and services use a standardised domain namespace.

Creating a DHCP Option

• Click Add DHCP Option.

• Enter:

  • DHCP Option: Predefined or custom option (e.g., dns-server).

  • DHCP Parameter: The value(s) for the option, comma-separated.

DHCP Options are optional and only apply if the iShield is issuing DHCP leases. 

This page defines the iShield’s public DNS resolution behavior.

Automatic DNS Selection

The iShield tests DNS servers learned from upstream gateways (e.g., PPPoE, routers) plus defaults (8.8.8.8 / 8.8.4.4) and selects the fastest responding servers.

Manual DNS Selection

The iShield will exclusively use the DNS servers specified by the network administrator (default: 8.8.8.8, 8.8.4.4). These servers are queried in the order in which they appear in the UI. Use the up and down arrow icons to reorder the DNS servers as needed. 

Note: Only public DNS servers should be used.

Do not configure local resolvers here or DNS loops may occur.

DNS Options provides tools for content filtering, query handling, and DNS forwarding behavior.

Disable DNS Negative Caching

Negative caching stores failed DNS lookups. While it improves performance, it may cause false negatives if a domain resource record becomes available after the initial lookup failure.

Disable this option to prevent false-negative caching issues.

DNS Force Safe Searching

DNS Force Safe Searching enables network administrators to filter explicit or inappropriate content online by enforcing the built-in Safe Search functionality on supported search engines. Safe Search is a content-filtering feature provided by major search engines that automatically suppresses explicit images, videos, and web results. When enforced at DNS level, users cannot disable or bypass Safe Search through their browser settings.

The following search engines are supported by this feature:

• Google

• Bing

• DuckDuckGo

To function correctly, this feature requires that the iShield handles DNS queries for the network. If devices are configured to use a third-party DNS server, the iShield cannot intercept or enforce Safe Search rules, and users may still be exposed to explicit content.

In environments where users attempt to bypass DNS Force Safe Searching by manually configuring public DNS servers, firewall rules can be applied to redirect DNS traffic. These rules redirect all outbound UDP port 53 traffic to the iShield, ensuring Safe Search enforcement regardless of the device’s local DNS configuration.

Disable DNS over HTTPS/TLS (DOH/DOT)

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries using HTTPS. Traditionally, DNS queries are sent in plain text, meaning anyone on the network path can see which domains a user is trying to access.

DoH changes this by wrapping DNS requests inside encrypted HTTPS traffic. This protects DNS queries from interception or tampering, but it also means:

• Network security devices (like firewalls and content filters) cannot inspect or enforce policies on those DNS requests.

• Users can potentially bypass configured DNS servers and filtering rules by using public DoH resolvers (e.g., Cloudflare, Google, Mozilla).

To ensure the iShield can inspect and filter traffic, DoH/DoT is disabled by default. 

DNS Address Redirect

DNS Address Redirect allows administrators to override DNS responses for specific hostnames and direct them to a chosen IP address. This is especially useful in environments without a dedicated DNS resolver, where hostname-based access or internal routing is required.

With this feature, the iShield can respond with a custom IP address for selected hostnames, ensuring devices on the network always resolve those names to the intended destination.

Creating a DNS Address Redirect

• Click Add Address Redirect.

• Enter:

  • Hostname: FQDN, domain, or simple hostname.

  • IP Address: Destination IP (public or private).

Domain DNS Forward

Domain DNS Forward allows the iShield to forward DNS queries for specific domains (e.g., customer.local, customer.co.za) to a defined resolver.

Requirements:

• The iShield must be the primary DNS server for clients.

• Only queries matching the domain will be forwarded.

If a third-party DNS server is used as the primary resolver, that server becomes responsible for forwarding queries as needed.

Creating a Domain DNS Forward

• Click Add Domain Forward Lookup.

• Enter:

  • Domain: Domain name to forward (e.g., customer.local).

  • DNS Server: IP address of the destination resolver (e.g., 192.168.10.250).