SANGFOR NGAF v8.0.

47 Associate

Network Advanced Options

1 Basic Introduction to DNS

2 DNS Proxy Function

3 DNS Transparent Proxy Function

4 DDNS

5 Secondary-Passthrough Traffic
1. Basic Introduction to DNS
DNS Overview
Domain Name System (DNS) is used to name computers and network services organized into a
domain hierarchy. DNS naming is used in TCP / IP networks such as the Internet. It runs on the
application layer protocol and uses port number 53 to find computers and services through user-
friendly names. When the user enters the DNS name in the application, the DNS service can
resolve the name to other information related to it, such as IP address. Because the web address
you enter when you surf the Internet is to find the corresponding IP address through the domain
name resolution system, so that you can surf the Internet. In fact, the final point of domain name
is IP.

Domain name: [Link]

IP address: [Link]
DNS Client DNS Server
DNS Query Method
1. Recursive query: The query between the client and the server belongs to recursive query.
When the client sends a request to the DNS server, if the DNS server itself cannot resolve, it will
send a query request to another DNS server and transfer the result to the client.
DNS request DNS request

Return IP Return IP
DNS1 DNS2

2. Iterative query (repeated query): Generally, DNS servers are iterative queries. For example, if
DNS2 cannot respond to the request of DNS1, it will give the IP of DNS3 to dns1 so that it can
send a request to DNS3.

DNS2

DNS1
DNS3
 DNS Resolution Process
② Not sure, I’ll ask root domain name
server. Do you know what is IP of
[Link]?
cache

③ I don't know. Ask the COM domain name

Recorded down [Link] IP Root domain name
server.
address.
Read Cache
server
④ Hi com, do you know how to find
[Link] IP?

⑤ I don’t know, but baidu,com

① Hey, do you know what is domain name server can help you.
IP of [Link]? ⑧I finally found it. The Local domain COM top-level
host you're looking for is name server
[Link].
domain name server
1. Let me find [Link], see if
there is a definition for it.
⑥ Boss, . Do you know what is IP of
2. I defined it, Let’s take a look at
[Link]?
the [Link] regional file.
3. There is a host record about
www.
⑦ Ha, you found the right server. I managed
Client this host. It's [Link].
[Link] domain
name server
2. DNS Proxy Function
DNS Proxy
DNS proxy refers to that the intranet PC client sets DNS as the gateway and uses the
gateway to proxy DNS resolution. The specific process is as follows:
1. The intranet PC sets DNS as the gateway router and sends the DNS request to the
gateway.
2. After receiving the DNS request from the intranet PC, the gateway router first queries
whether there is a corresponding domain name in the cache. If not, it sends the DNS
request to the DNS server filled in by itself.
3. The DNS server receives the DNS request, queries and returns the corresponding IP
address to the router.
4. After receiving it, the router returns the IP address to the intranet PC.
DNS request DNS request

Return IP Return IP
PC DNS Server
DNS Proxy Application Scenario
The DNS proxy is mainly configured on the egress gateway device. The gateway replaces the
intranet host to send the DNS request to the domain name server. It is mainly used in the intranet
network, sometimes the DNS server address cannot be configured, or the user does not know the
DNS server address. The DNS address is directly filled in as the gateway address for the
convenience of users.
Configuration
Access Network > DNS > DNS Server and fill in the DNS server IP address. DNS Proxy
select Enable.
Case Configuration
The network environment of a user is shown in the figure below. The NGAF device needs to
proxy the private IP of the intranet on the public network. At the same time, the user can resolve
the domain name by filling the NGAF address in the DNS server address. The DNS proxy
function needs to be enabled on the NGAF.
3. DNS Transparent Proxy Function
DNS Transparent Proxy
DNS transparent proxy means that the intermediate device (usually the gateway) intercepts and
captures the DNS packets of the client through the device itself. The intermediate device sends
the request to the DNS server configured by the device itself for resolution according to the
relevant settings. After receiving the response from the DNS server, the intermediate device
returns to the client. This proxy process is no sensation to the client, it is completely transparent.

DNS request DNS Server 1

DNS request

Return IP
Client DNS request

Return IP DNS Server 2

DNS Transparent Proxy Application Scenario
DNS transparent proxy is configured on the egress gateway device. The gateway device
intercepts and captures the DNS request of the intranet host and sends the DNS request to the
configured DNS server. There are mainly the following two application scenarios:
1. If intranet users do not know the DNS server address, they can set any DNS address to
facilitate users' use.
2. Send the DNS request to the DNS server specified by the gateway, and select the route in
combination with the policy route.

DNS Server
Configuration
1. Access Network > DNS > DNS Transparent Proxy, fill in the address of the external DNS
server. If there is an internal DNS server, fill in the address of the internal DNS server. Click
enable in DNS Transparent Proxy, set the number of caches and upload the domain name files
resolved by the internal DNS server as needed.
Case Configuration
2. Access Policies > NAT > IPv4 NAT click New, select Destination NAT, The source zone set
as the zone where the intranet is located, the source address is the intranet segment, the
destination is all network segments, the services are DNS TCP and DNS UDP services. The
destination address is converted to the NGAF LAN interface address, and the port is converted
to DNS transparent proxy port 5354.
Case Configuration
The network environment of a user is shown in the figure below. The NGAF device is deployed as a
gateway. There is a DNS server on the intranet. DNS requests to access the specified domain name
need to be sent to the intranet DNS server for DNS resolution, non-specified domain names are still
handed over to the public DNS servers for resolution. Need to enable DNS transparent proxy on
NGAF.

Private DNS Public DNS

Server Server
Precaution
1. The DNS server of NGAF itself should be set correctly to ensure that it can perform DNS
resolution normally.
2. NGAF does not support the use of DNS proxy and DNS transparent proxy in the bridge mode
deployment.
3. TCP 53 port is used for inter zone transmission of DNS server, and UDP 53 port is used for DNS
resolution.
4. The DNS proxy uses TCP 53 port. After the DNS proxy of NGAF is turned on, all zones can access
NGAF port. If NGAF is deployed at the network egress, it is recommended to deny WAN zone
access to this port in Local ACL.
5. The port used by DNS transparent proxy is TCP 5354 port.
6. DNS proxy requires the client to set DNS server IP as NGAF interface IP, and DNS transparent
proxy does not require the client to set DNS as AF interface IP.
7. The DNS transparent will conduct intranet query for the DNS request in the uploaded domain name
file and conduct external query for the DNS request not in the uploaded domain name file list.
4. DDNS
DDNS
DDNS (Dynamic Domain Name Server) maps the user's dynamic IP address to a fixed domain name
resolution service.
 DDNS - Configuration
Click Add to add the DDNs configuration. The policy name and domain name must be unique.

Note:
You will see an error message if the name already exists.
Select a DNS provider from the available options.
DDNS is not support when HA configured.
DDNS Error Messages
DDNS
When the PC accesses the server, there are two inbound interfaces eth1 and eth3 in the request
direction. One of the inbound interfaces can be configured. If eth3 is configured with the
secondary passthrough function, the incoming traffic from eth3 will be bypassed. Eth3 port will
no longer carry out any policy matching, but the traffic coming in from eth1 port can still carry
out policy matching, to ensure that NGAF can only do one policy matching during two traffic
passes through NGAF. The other through processing, to ensure that NGAF can forward data
normally and detect security policy matching. The same is true for the data in the response
direction that the server packets back to the PC.

④
③

eth4 eth3 ⑥
⑤
Server
⑧ ⑦

eth1 eth2
②
①

PC
5. Secondary-Passthrough Traffic
Background
The customer's network environment has been deployed. For example, only one PC and one
server are connected to the router. Due to the lack of security equipment in the environment, the
network environment cannot be protected. Therefore, the customer wants to install an NGAF in
the original network environment for security protection but is unwilling to make topology
rectification. If you span a NGAF device on the rack directly in the customer's original network
environment, it will cause the problem of secondary traffic crossing of PC access server.

How to deal with the flow NGAF ①

of secondary passthrough? ②
How does security policy to
detect?
Basic Principles
The secondary passthrough function is mainly used to solve the problems that the same traffic
passes through the NGAF device twice or multiple times, resulting in the failure of normal
forwarding of NGAF data and the failure of normal detection of security policies.
For the traffic passing through NGAF twice, the secondary passthrough function acts on the
interface. By crossing the traffic passing through NGAF once, it is equivalent to the bypass
function, which no longer matches various policies of NGAF, to avoid NGAF processing the
same traffic twice and consuming NGAF resources.
Specific Process
When the PC accesses the server, there are two inbound interfaces eth1 and eth3 in the request
direction. One of the inbound interfaces can be configured. If eth3 is configured with the
secondary passthrough function, the incoming traffic from eth3 will be bypassed. Eth3 port will
no longer carry out any policy matching, but the traffic coming in from eth1 port can still carry
out policy matching, to ensure that NGAF can only do one policy matching during two traffic
passes through NGAF. The other through processing, to ensure that NGAF can forward data
normally and detect security policy matching. The same is true for the data in the response
direction that the server packets back to the PC.

④
③

eth4 eth3 ⑥
⑤
Server
⑧ ⑦

eth1 eth2
②
①

PC
Scenario
NGAF is deployed in the internal network, and the same traffic data in the internal network
passes through the NGAF device twice or many times.
Configuration
1. Deploy the NGAF transparent mode or virtual wire mode into the network and configure the
application control policy to allow the traffic from the intranet zone to the extranet zone.
Configuration
2. In Network > Advanced > Secondary-Passthrough Traffic , check Enable button and click
Add to configure the source as the PC network segment, the destination as the server network
segment. The inbound interface is the interface that passes through one of the two times in the
access direction.
Configuration
3. In Network > Advanced > Secondary-Passthrough Traffic , check Enable button and click
Add to configure the source as the server network segment, the destination as the PC network
segment. The interface is interface that passes through one of the two times in the return
direction.
Case Configuration
The client's intranet server and PC belong to different VLAN network segments and are
connected to the same layer-2 switch. The gateway is a router. The router is configured with the
IP address of the corresponding VLAN network segment. Now the NGAF bridge is purchased
and deployed between the switch and the router. The traffic of the PC accessing the server will
cross the NGAF twice, which need to configure the secondary-passthrough traffic.

[Link]/24

eth1 eth2
Server

[Link]/24

PC
Precaution
1. Second-Passthrough traffic recommended to be configured on layer-2 deployment. According to
different deployment scenarios, set transparent deployment, virtual wire deployment or mirror
traffic as secondary traversal, which is equivalent to passing through layer-2 traffic through NGAF
multiple times.
2. Layer-3 traffic is not set to secondary passthrough, otherwise NAT, security policy, routing and
other functions will be lost.
3. Second-Passthrough deployment does not support configuration in the NAT environment where
intermediate devices exist.
4. Second-Passthrough policies list, supporting 64 policies at most.
5. Second-Passthrough does not support inbound interface selection GRE port and VPN port.
Thank you !
[Link]@[Link]
[Link]

Sangfor Technologies (Headquarters)

Block A1, Nanshan iPark, No.1001
Xueyuan Road, Nanshan District,
Shenzhen, Guangdong Province,
P. R. China (518055)