Configuring DNS Firewall

Network topology

If you are not an IT professional or manage the DNS infrequently, then understanding where the D-Zone DNS Firewall fits will help you to understand what you need to do. Full documentation is provided to all D-Zone DNS Firewall customers. 

In the past, the modem to the internet was separate from the router you used in your home or small business. Today, these two devices are often combined into one device, often called a gateway.

In a similar way to how your business or home router knows where the devices (i.e. PCs) on your network are located, the D-Zone firewall servers know where servers on the internet are located. This part of the D-Zone service is traditionally called a recursive server. The difference is that our recursive resolver refuses to provide directions to known problem sites. For most small and medium businesses, the recursive service is delivered by an Internet Service Provider while many large organizations choose to run their own.

Your gateway, or router, has DNS settings to tell it where to go to access the D-Zone DNS Firewall service.

Devices on a network go through the internet gateway in order to access the internet. The D-Zone DNS firewall sits between the gateway and the Internet.


1. Configure D-Zone service for your organization

CIRA does not currently offer any kind of free open recursive service so we are required to whitelist your access to our servers. This improves security and performance for our customers by keeping the service dedicated to their needs.

  1. When you sign up for the service, you will receive an email from our customer service representative providing D-Zone web portal login credentials to configure your security settings. You will also be required to provide us with your IP address so that we may grant it access to the security service.

  2. If you do not know your IP address, then finding it easy. For example, typing “what is my IP address” into a Google search bar will return the result, and there a number of number of web services that can do the same.

    A simple google search for what is my IP address will tell you your IP address.

  3. At this point, no configuration is required in the D-Zone DNS Firewall web portal in order to be protected. By default, malware and phishing protection is turned on and content filtering and Google safe search is turned off. If you want to make changes to these settings the D-Zone interface is easy to navigate and the technical documentation is available in the help files if you need them.


2. Gateway configuration

There are hundreds of different hardware scenarios that organizations in Canada could be using to access the internet. Most operate in a similar fashion, and while not generally not designed for complete technology neophytes, the average user is capable of using the software if they follow the steps closely. These steps will be explained in the technical documentation for your router or gateway and can likely be found online from both your provider and helpful users who have posted videos and guides.

Set-up - example using the Bell Connection Hub

This example uses the Bell Connection Hub. Most routers and hubs are highly similar and this article will provide overviews on many of the popular new ones - https://www.lifewire.com/how-to-change-dns-servers-on-most-popular-routers-2617995 .

  1. Determine the IP address for your gateway. For most Bell configurations this is 198.168.2.1. Enter this address in a browser. Other common gateway addresses include 198.168.1.1 and 198.168.0.1.

  2. For Bell and for most router/gateways the default username is admin and the default password is admin. Hopefully, for security reasons, you are not using the default setting and will have your own username and password. If you have lost them then you will need to reset the router to factory settings. Consult your gateway technical documentation.
  3. On the left side navigation select internet

    Bell connection hub interface showing that you need to change to manually configure DNS

  4. In DNS Settings, choose the radio button and manually specify DNS information

    • For Primary DNS, enter:162.219.51.2
    • For Secondary DNS: leave blank

    Note 1: No secondary DNS service is recommended unless you have adequate alert processes in place. D-Zone has built-in backup with multiple servers in each node and multiple geographically distributed nodes deployed using a technology called, anycast. If you specify a secondary DNS then in the unlikely event that D-Zone were to go down, your router would default to the secondary DNS and you would not know that you are browsing unprotected

    Note 2: For those that want to use an IPv6 address to access the D-Zone firewall service you will use this IPv6 address as your Primary DNS (not recommended for normal users):2620:10a:8054::2

  5. Save your settings and close the browser
  6. Some devices on your network may require a re-boot in order to begin using the new DNS settings.

3. Advanced option - setting up Windows Server as a forwarding DNS server

If you are running your own recursive server and wish to continue to do so then you will configure it as a forwarding DNS server to the DNS Firewall nodes. You likely already have the expertise to manage the technology so we won’t go into a high level of detail on configuration. This example uses Windows 2016 If you need support with windows or any other DNS servers that you may be using, please contact us at dnsfirewall@d-zone.ca.

  1. Open the DNS Manager and right mouse click to manage the properties

  2. Select the Forwarders tab under DNS properties

    The DNS manager in Microsoft Server

  3. Click Edit and enter the IP address for the DNS Firewall 162.219.51.2
  4. Delete any existing/additional forwarders so that you are only using the D-Zone service for queries.
  5. If you don’t have a trustworthy alert process, it is recommended that you uncheck, "Use root hints if no forwarders available". This avoids unprotected browsing using Windows as a backup resolver in the event of a problem with D-Zone or your networks access to D-Zone.