Problem Description:
================
This article describes a possible way Versa CPE can be configured to send NXDOMAIN responses to certain Domains.
Background:
==========
NXDOMAIN is a DNS response code (RCODE = 3) that stands for Non-Existent Domain.
It is to notify the DNS querier that the domain you asked for does not exist in the DNS database.
Used Cases:
==========
a) Policy Enforcement (Block valid responses to Adult or Malicious Domains)
b) Monitoring (Keep a track of NXDOMAIN responses to detect malware
c) Internal Domain Isolation (To detect when a domain is not part of internal DNS zones).
Configuration:
===========
1) Configure a DNS Proxy reachable over Local Breakout using any Transport-VR routing instance that has Internet connectivity to Global DNS calling a SNAT which has Egress Network corresponding to that Transport-VR.
SNAT Config
-----------------
Proxy Profile Config
--------------------------
2) Under DNS ---> Policies, configure a Redirection rule for a domain for which you would like Versa CPE to send NXDOMAIN response. Here in the enforce section, Proxy Profile defined earlier needs to be called and under Override question, a non-existent domain name needs to be added so that DNS proxy on versa will translate a specific domain (Here I have used bbc.com for test).
Summary:
========
When internal users send DNS request to bbc.com, Versa CPE proxy will kick in and it will send a Proxy'ed DNS request but this time to non-existent domain specified in Override Question to outside DNS.
The External Server will respond with NXDOMAIN which versa will relay to internal users.