Skip to main content

Netskope Help

DNS Profile

Note

This feature is in Controlled GA. If you want to enable this feature, contact your sales team.

This feature is available with IPSec, GRE, or Netskope Client traffic steering methods.

DNS profiles allow you to control, inspect, and log all or blocked DNS traffic. When configuring a DNS profile, you can configure the actions taken for specific domain categories and choose to allow or block specific domains. Additionally, you can choose to block all DNS tunnels and select DNS tunnels to exempt.

To create a DNS profile:

  1. Navigate to Policies > DNS.

  2. Click New DNS Profile. The DNS Profile page appears.

  3. Enter a name for the DNS profile.

  4. Select if you want to generate events for Only blocked DNS traffic or All DNS traffic.

    Selecting to generate events for only blocked or all DNS traffic in a DNS profile
  5. Under the DNS Domain tab, you can do the following:

    This section allows you to configure actions for the available domain categories. You can also search for a category or action.

    Available actions include None, Block, or Sinkhole. If the detected DNS traffic doesn’t match any of the domain categories, then Netskope will take no action.

    The DNS Domain tab for DNS profiles
  6. If you chose Sinkhole as the action for a domain category, enter a Sinkhole IP Address.

    Entering a sinkhole IP address for DNS profiles
  7. For the Domain Allowlist and Domain Blocklist fields, you can specify the domains you want to allow or block all DNS requests from.

    For the domain, you must specify the Record Type or choose All Record Types. You can click + Add to add more domains or click Import From CSV to upload a CSV file (the maximum upload is 8 MB).

    Note

    The Domain Blocklist takes precedence over the Domain Allowlist.

    The Domain Allowlist and Domain Blocklist for DNS profiles
  8. Under the DNS Tunnel tab, you can enable Block All DNS Tunnels.

    The DNS Tunnel tab for DNS Profiles
  9. If you enable Block All DNS Tunnels, you can also configure the DNS Tunnel Allowlist. Select or search for DNS tunnels from the dropdown list.

    The DNS Tunnel Allowlist for DNS Profiles when Block All DNS Tunnels is selected
  10. Click Save to save the DNS profile.

After you create a DNS profile, you must add it to a Real-time Protection policy. To learn more: Real-time Protection Policies.