How to configure DNS forward proxy on Ruijie Z-3200S firewall？

DNS forward proxy

DNS forward proxy is usually deployed between the DNS server and the user's PC to process the user's domain name resolution request. For DNS request messages that hit the DNS forward proxy policy, the device will modify the destination address of the request message (DNS server address) according to the outbound interface selected by the DNS request message. Therefore, DNS requests can be forwarded to different DNS servers for resolution, and Internet traffic will be forwarded through different links to make full use of link resources.
Applied scenarios

DNS proxy is usually used in multi-export scenarios
Case of configuration

a) Requirement

The DNS forward proxy data processing flow is as follows:
(1) After receiving the DNS request message, the device checks whether the DNS proxy is enabled. If not, it does not act as a DNS forward proxy. If enabled, it matches the proxy policy for the DNS request message;
(2) Check whether the message matches the DNS forward proxy policy. If it matches the policy and needs to act as a DNS forward proxy, the device first determines whether the domain name to be resolved is an excluded domain name: if it is an excluded domain name, the device does not act as a DNS forward proxy (for an excluded domain name, if aspecific DNS server is required to resolve the domain name, the device will directly modify the destination address of the DNS request message to the address of the specified DNS server); if it is not an excluded domain name, the device will make a proxy mark for the message, which is used for subsequent process judgment;
(3) The DNS request message selects an available outbound interface.
When several routing configurations coexist, the priority is: DNS forward proxy routing > intelligent routing > egress load balancing > normal static/dynamic routing.
Since the DNS forward proxy has a high priority and will modify the target address, the dynamic NAT processing module will not be used after the DNS forward proxy matches.
(4) The device can bind two DNS servers (the primary DNS server and the backup DNS server) on each outbound interface. The DNS forward proxy function preferentially uses the address of the primary DNS server to replace the destination address of the DNS request message. It switches to the backup DNS server only when the primary DNS server is unavailable. The device will act as a DNS forward proxy if and only if there is an available DNS server on the outbound interface and the message has a proxy tag.
b) Network Topology

c) Configuration

(1) Click [Network] >> [DNS] >> [DNS] menu item, select the [DNS Forward Proxy] tab.
(2) Click to enable DNS Forward Proxy.

(3) Select "Routing mode".
When the DNS forward proxy processes a DNS request message, after the proxy policy and domain name exclusion match successfully, if there are multiple available interfaces associated with the domain name that matches or there are multiple available interfaces in the interface list after the policy matches, you can select a suitable interface as the outbound interface of the DNS request message by configuring "Routing mode". The device will give priority to the matching interface based on the different"Routing modes".

(4) Configure DNS proxy related items.

(5) Added domain name exclusion.

After using DNS forward proxy, users need to perform special processing on some special domain names due to network resources or security reasons, such as forwarding to an ISP with better networ kor not proxying (i.e. not configuring DNS server address). In this case, the domain name exclusion function is needed to perform specific processing on specific domain names after the proxy takes effect.

Configuring proxy policies

Select the source address that needs DNS proxy