Incompatible with Active Directory
This feature is not applicable to networks with Active Directory. Windows DNS Server does not have a way to forward DNS based on subnet or internal IP address.
DNSFilter’s NAT IPs feature allows up to 7 different policies using a single egress IP address. This facilitates separate content filtering and/or threat protection policies for different segments of your network, such as guest Wi-Fi, server farms, staff BYOD, and executive devices.
When we receive your DNS requests, we apply the specific policy based on the set of DNSFilter IP addresses used to contact us. We have 7 sets of IPs which all utilize the same global infrastructure.
Within your network, you must configure the devices to resolve the specific set of DNS addresses you have configured in the DNSFilter Dashboard policy (explained in the next section).
Note the DNS IPs assigned to the devices in the diagram below (.101, .102, etc)
NAT IP policies are created by following the instructions in the site deployment guide pertaining to creating a filtering policy
On the Advanced tab, there will be a location for setting NAT IP policy addresses:
There are 7 choices, allowing for 7 different policies to be active on your network.
After creating policies with different NAT IP addresses, you can move on to configuring your network devices. NAT IP policies should not be assigned to a site on the dashboard. Rather, the main site policy should be assigned to your network.
Do not assign to a site
NAT IP policies only need to be created in the dashboard. They do not need to be assigned to a site/network. This is because DNSFilter will identify that your traffic is intended for a special NAT IP policy address and classify it appropriately.
The final step in configuring NAT IPs are configured to point to the NAT IP addresses that you have set. There are a few options for this:
You can configure your DHCP server to handout different DNS addresses based on the internal LAN subnet. For example, say your Guest subnet is 192.168.10.0/24, your Staff subnet is 192.168.20.0/24, and your Executive subnet is 192.168.30.0/24. You could assign a normal "Guest" policy to your network in the Dashboard. Then you could create two NAT IP policies, one for Staff and one for Executives. Then you could adjust the DHCP options for those subnets to point to the NAT IPs for that policy.
If the number of devices for a NAT IP policy is small, and you have control over the endpoint devices - then direct assignment is an easy way to utilize NAT IPs. You can simply go to the DNS settings on the device and change them to point to your NAT IP policy.
You can ensure that the your NAT IP policies and network devices are configured properly by adding a different test domain to the Blacklist for each policy, then ensure the devices see a block page for the specific domain which was set up on their NAT IPs policy.
Updated about a year ago