Overview

This document describes how to configure your network to use DNS Defense Cloud in a network managed with Windows Server - using DHCP or an existing DNS Server. If you need assistance configuring your environment to enable DNS Defense Cloud, you can contact our support team.

Prerequisites

Before changing your configuration, ensure that DNS queries can be sent to the ThreatSTOP DNS Server IP address from the existing network:

  • From a computer with the same public IP address as the computers that will send DNS requests (endpoints or existing DNS server), open a Windows Powershell
  • Use nslookup to test a DNS query, e.g.:
PS C:> nslookup example.com THREATSTOP_SERVER
Address: THREATSTOP_SERVER

Non-authoritative answer:
Name: example.com
Addresses: 93.184.216.34

If the query times out, please refer to the DNS Defense Cloud configuration documentation.

Windows Server: DHCP Server

If you are using Windows Server DHCP Server, changing the DNS server used by DHCP client endpoints is done by changing the Name Server setting in the DHCP Options. This may be done at the server level or on a per-scope basis.

If you are using multiple DHCP servers, the following steps need to be repeated for each DHCP server.

  • Open the Server Manager and select DHCP in the menu
  • In the server list, right click on the DHCP server and select DHCP Manager
  • In the DHCP window, open the server entry and click on IPv4
  • Review how the DNS server(s) are currently configured.
    • To view the configuration, click on Scope Options (repeat for every Scope) and Server Options. The DNS servers are listed as Option 006 DNS Servers.
    • The setting can be set at the server level or for each DHCP scope.
    • If a scope has DNS server(s) configured, they take precedence over the server level configuration.
    • If DNS server(s) are not configured in the scope configuration, the server configuration will be applied to all scopes.
  • Change the DNS server IP address
    • For every scope that you want to switch to DNS Defense Cloud, right click on Scope Options and select Configure Options
    • For the server level, right click on Server Options and select Configure Options
    • Scroll down to Option 006 DNS Servers
    • Remove the existing IP address (retain the current setting to revert the change).
    • Add both ThreatSTOP Service IP Addresses
    • Click Ok

When DHCP clients renewal their lease, the new server setting will be applied and they will be protected by DNS Defense Cloud.

Resources

Windows Server: DNS Server

If you are using a Windows Server DNS Server, it may be configured in one of three modes:

  • as a recursor, performing DNS queries with authoritative DNS servers
  • as a forward-only server, sending DNS queries to one or more upstream DNS server(s).
  • as a forwarder with fallback to recursor mode if forwarders are not responding.

To find out your current mode:

  • Open the Server Manager and select DNS in the menu.
  • In the server list, right click on the DNS server and select DNS Manager.
  • In the DNS Manager window, open the server entry and click the Forwarders property.

Possible configurations:

  • If there are no forwarders configured and Use Root Hints if no forwarders are available is checked, the DNS server is configured as a recursor.
  • If there are forwarders configured and Use Root Hints is not checked, the DNS server is configured as a forward-only server.
  • If there are forwarders configured and Use Root Hints is checked, the DNS server is configured as a forwarder with recursor mode as a fallback.
Forwarders Root Hints Mode
No Yes Recursor
Yes No Forward-Only
Yes Yes Forward with fallback
No No Invalid combination

DNS Defense Cloud configuration

To start using DNS Defense Cloud, you will need to use the ThreatSTOP DNS servers as forwarders. You can choose to keep Root Hints enabled to fallback to recursor mode although the ThreatSTOP DNS Policy is not applied to queries sent in recursor mode.

Server in Recursor mode

To enable DNS Defense Cloud:

  • edit the DNS Server in the DNS Manager
  • open the Forwarders setting
  • click edit
  • add both IP addresses for the DNS Defense Cloud servers.
  • click Ok to complete the configuration.

Forward-Only and Forward (with fallback)

To enable DNS Defense Cloud:

  • edit the DNS Server in the DNS Manager
  • open the Forwarders setting
  • remove the existing forwarder IP addresses
  • add both IP addresses for the DNS Defense Cloud servers.
  • click Ok to complete the configuration.

Resources