What Is Transparent DNS Proxy?

Why Is Transparent DNS Proxy Used?

On most enterprise networks, when an enterprise user accesses a web service on the Internet using a domain name, the service request first triggers the client to send a domain name resolution request to the DNS server. According to the standard configuration, the client of an intranet user is usually configured with only one DNS server address, which can be automatically allocated through DHCP or manually set by the administrator. The DNS server address usually points to a specific ISP. The following example is of an enterprise network, with China Telecom as the ISP. The client is configured to use the DNS server A of China Telecom for domain name resolution. Typically, after receiving a DNS request packet, DNS server A directs the domain name resolution result to the server address deployed on the internal telecom network. This configuration mode has the following limitations: Although web service providers usually deploy server resources on network nodes of multiple ISPs, enterprise users can obtain only the address of the web server deployed on the network of a specific ISP (in this case, China Telecom). With the default routing policy, Internet access traffic of enterprise users is forcibly forwarded through the link of China Telecom, which causes congestion on the link and severely affects user experience. In addition, the bandwidth resources of the links of other ISPs (for example, China Unicom) are idle, which wastes network resources.

To address this issue, the transparent DNS proxy technology is introduced. After transparent DNS is enabled on the link load balancing device, the device can intelligently identify and selectively change the destination addresses of specific DNS request packets, and direct these requests to DNS servers of different ISPs (in this example, China Telecom and China Unicom). Specifically, when an intranet client initiates a DNS request, the device checks whether the request meets the transparent proxy policies. If so, the device forwards the request to the DNS server of corresponding ISP. For example, if the request is forwarded to the DNS server A of China Telecom, the address of the web server on the China Telecom network is obtained; if the request is forwarded to the DNS server B of China Unicom, the address of the web server on the China Unicom network is obtained. In this way, transparent DNS proxy implements intelligent allocation of DNS request packets for egress links, thereby balancing service traffic among multiple links. It should be noted that the DNS configuration mode of the intranet client remains unchanged. The DNS server address can be automatically obtained through DHCP or manually set. The DNS server can be configured as the intranet DNS server or the DNS server of any ISP. Throughout the entire process, intranet users are totally unaware of the technical processing performed by the link load balancing device on DNS request packets. This is the core feature of the transparent DNS proxy technology.

What Are the Advantages of Transparent DNS Proxy?

As a key technology to enterprise network optimization, transparent DNS proxy has the following core advantages.

Link Load Balancing and Performance Improvement

Transparent DNS proxy can intelligently allocate DNS requests to different egress links. This prevents a single link from being overloaded, achieves balanced utilization of multi-link resources, and significantly improves network access performance and response speed.

Full Utilization of Multiple ISP Links

By directing DNS requests to DNS servers of different ISPs, enterprises can use network resources of multiple ISPs at the same time, avoid idle links, and maximize bandwidth utilization.

Flexible Policy Configuration

You can configure DNS request allocation policies based on multiple conditions, such as IP addresses, domain names, and users. This helps to meet diversified network management requirements of enterprises.

Transparent to End Users

End users do not need to modify DNS settings (no matter whether the DNS settings are automatically allocated through DHCP or manually configured). Unaffected by technical processing performed by the link load balancing device on DNS request packets, end users can always benefit from intelligent traffic scheduling. This greatly simplifies O&M.

Transparent DNS Proxy Policies on Huawei Firewalls

A transparent DNS proxy policy is the core mechanism for implementing intelligent DNS request allocation. An administrator can configure policy matching conditions on a Huawei firewall to define DNS requests to which transparent proxy applies.

1. Policy matching condition

   The matching conditions of a transparent DNS proxy policy include the source and destination IP addresses of DNS request packets.

2. Matching logic
   • AND relationship: A packet matches a policy only when all the matching conditions configured in the policy are met (ANDing logic).
   • OR relationship: If a matching condition contains multiple values (for example, multiple IP addresses), the condition is met when the packet attribute matches any value (ORing logic).
3. Policy execution action
   • Proxy: The DNS request is forwarded to the specified egress link.
   • No proxy: The original DNS request processing mode is retained.
4. Policy priority
   • DNS requests are matched against policies in the order of configuration.
   • You are advised to configure policies from the most specific to the least specific because if any policy is matched, the matching process ends. If you put a more general policy before a more specific policy, the latter will never have a chance to be matched against.
5. Default policy

   The system has a built-in default transparent DNS proxy policy (default) with the lowest priority.

   • Default action: The system presets a default policy (default) with the lowest priority. The matching condition of the default policy is any (all packets match this policy), and the default action is non-proxy.
   • Default mechanism: If no user-defined policy is matched, the default policy is matched automatically. This ensures that an action is specified for any request.

How Does Transparent DNS Proxy Work?

Huawei firewalls provide the transparent DNS proxy service for enterprises. Transparent DNS proxy intercepts every DNS request and then redirects it to a different DNS server without the user's knowledge.

When an intranet user accesses the web service www.example.com, a DNS query request is triggered. After receiving the request, the firewall matches the request against the transparent DNS proxy policies and checks whether the domain name is in the range of excluded domain names. If not, after the matching succeeds, the firewall selects an ISP link based on the route selection result. The firewall then performs the following operations in this order:

1. Source address translation (source NAT): The device changes the source IP address of the DNS request packet based on the source NAT policy.
2. Destination address translation (transparent DNS proxy): Based on the transparent DNS proxy policy, the firewall replaces the destination address of the DNS request packet with the DNS server address for the corresponding carrier network, such as the DNS server address for China Telecom or China Unicom.
3. Forwarding: The DNS request packet with the altered destination address is forwarded to the target DNS server to complete domain name resolution.

The DNS server then returns a response packet with the altered destination address converted to the original destination address. After receiving the DNS response packet, the intranet client accesses the web server at the IP address specified in the DNS response packet.

For more information about the product, see Huawei AI Firewall. For details about how to configure and maintain transparent DNS proxy, see Transparent DNS Proxy Configuration Guide.