Updated on October 5, 2023

DNS Profile

DNS Profile

Note

This feature is available with IPSec, GRE, or Netskope Client traffic steering methods.

DNS profiles allow you to control, inspect, and log all or blocked DNS traffic. When configuring a DNS profile, you can configure the actions taken for specific domain categories and choose to allow or block specific domains. Additionally, you can choose to block all DNS tunnels and select DNS tunnels to exempt.

To create a DNS profile:

  1. Navigate to Policies > DNS.
  2. Click New DNS Profile. The DNS Profile page appears.
  3. Enter a name for the DNS profile.
  4. Select if you want to generate events for Only blocked DNS traffic or All DNS traffic.
  5. Under the DNS Domain tab, you can do the following:

    This section allows you to configure actions for the available domain categories. You can also search for a category or action.

    Available actions include None, Block, or Sinkhole. If the detected DNS traffic doesn’t match any of the domain categories, then Netskope will take no action.

    The DNS Domain tab for DNS profiles
  6. If you chose Sinkhole as the action for a domain category, enter a Sinkhole IP Address.
    Entering a sinkhole IP address for DNS profiles
  7. For the Domain Allowlist and Domain Blocklist fields, you can specify the domains you want to allow or block all DNS requests from.

    For the domain, you must specify the Record Type or choose All Record Types. You can click + Add to add more domains or click Import From CSV to upload a CSV file (the maximum upload is 8 MB).

    Note

    The Domain Blocklist takes precedence over the Domain Allowlist.

    The Domain Allowlist and Domain Blocklist for DNS profiles
  8. Under the DNS Tunnel tab, you can enable Block All DNS Tunnels.
    The DNS Tunnel tab for DNS Profiles
  9. If you enable Block All DNS Tunnels, you can also configure the DNS Tunnel Allowlist. Select or search for DNS tunnels from the dropdown list.
    The DNS Tunnel Allowlist for DNS Profiles when Block All DNS Tunnels is selected
  10. Under Custom DNS Server, you can enable the Custom DNS functionality and enter up to five public IPv4 addresses separated by comma or newline for forwarding. The DNS servers are evaluated in the order they are input into the window.



    Netskope will forward the destination to these DNS servers for resolution when the default DNS servers are private, unreachable from Netskope cloud, or rejecting the requests.
    The Always use custom DNS servers instead of default server option will replace the destination address with the custom DNS server’s IP address for all DNS traffic.
    The Use Netskope DNS resolver option will use Netskope’s internal DNS resolver if the default and custom DNS servers fail.
  11. Click Save to save the DNS profile.

Note

Custom DNS servers do not work over nonstandard ports.
Non-DNS TCP application traffic sent over port 53 are assumed to be DNS traffic and treated accordingly.
Custom DNS server cannot be changed in the middle of TCP flow if server is marked as unreachable during flow’s lifetime as this requires a new connection sequence with the new server.

After you create a DNS profile, you must add it to a Real-time Protection policy. To learn more: Real-time Protection Policies.

Share this Doc

DNS Profile

Or copy link

In this topic ...