Sangfor NGAF User Manual Network

addresses. A converting and query mechanism is needed between IP

addresses and hostnames, and the system that provides such a mechanism is
the Domain Name System (DNS).

5.5.1 DNS Configuration

To set the DNS servers and DNS proxy for the NGAF device to access the
Internet. See the figure below.

Preferred DNS: Set the DNS server address used by the NGAF device to access
the Internet. The NGAF device uses this DNS address as the first choice for
resolution.

Alternate DNS: Set the DNS server address used by the NGAF device to access
the Internet. If the NGAF device fails to resolve the preferred DNS server
address, the alternate DNS server address is selected for resolution.

DNS Proxy: After this function is enabled, the LAN user's DNS address is set as
the interface IP address of the NGAF device, which forwards the LAN user's
DNS requests to the preferred and alternate DNS servers set for the device.
DNS proxy uses port TCP/53. After it is enabled, this port on the firewall can be
accessed from all zones. Suppose the firewall is deployed at the network
egress. In that case, it is recommended to deny access to this port from the
Internet zone by configuring it under Policy > Access Control > Local Access
Control.

Version 02 (Aug. 08, 2021) 168

Sangfor NGAF User Manual Network

5.5.2 DNS Transparent Proxy

The meaning of DNS transparent proxy is an intermediate device (usually the
gateway) that intercepts the DNS packets sent from a client through the device
itself to the DNS server for parsing according to the relevant settings and
returns the responses received to the client. This proxy process is undetectable
and completely transparent.

The DNS transparent proxy page is for intranet users whose DNS address does
not point to the NGAF device but request to transmit through the NGAF. The
NGAF's transparent DNS proxy resolution settings are shown in the following
figure.

External DNS Server: Set the external DNS server address for the DNS
transparent proxy, such as 114.114.114.114. For the DNS address set here,
when the DNS Transparent Proxy is enabled, the domain names not uploaded
from the Upload Domain File will be subject to proxy resolution using the
external DNS address set here.

Local DNS Server: Set the local DNS server address for the DNS transparent
proxy. When the DNS Transparent Proxy is enabled, only the domain names
Version 02 (Aug. 08, 2021) 169
Sangfor NGAF User Manual Network

uploaded from the Upload Domain File will be subject to proxy resolution
using the local DNS address set here.

DNS Transparent Proxy: Set the switch options for enabling/disabling the
DNS transparent proxy function.

Upload Domain File: Set the domain names that need to be resolved through
the local DNS address configured in the Local DNS Server. Under normal
circumstances, for access with the domain name of the company's website, it
directly resolves the LAN IP address of the website.

5.6 DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network protocol used
on local area networks, allowing a server to manage a range of IP addresses so
that a client can automatically obtain the IP addresses and subnet masks
assigned by the server when logging in to the server. The NGAF device is
deployed in the user environment, serving as a DHCP server to assign
corresponding IP addresses to clients.

Version 02 (Aug. 08, 2021) 170