Skip to main content

Reference articleDNS Filtering

  • Updated

DNS Filtering User Guide

DNS Filtering is a process that uses the Domain Name System (DNS) to filter website access, by their domain name.

Tehama's DNS Filtering feature provides this capability as an extra layer of security on top of the Firewall Rules that are set up for each Room.

Overview

Tehama's DNS Filtering feature lets you define a list of allowed domains. Access to the internet is restricted first to those domains, and second, by firewall rules in the Room.

This feature is available for Tehama's 'Multi-Path' Rooms (Rooms with network access set to 'Multi-Path').

This feature is active:

  • when the Room's DNS Filtering feature has at least one domain in its list of allowed domains.
    • users of Desktops in the Room will be denied access any domain that is not in this list, regardless of the firewall rules in the Room.
    • for domains in this list, access ultimately depends on the existing firewall rules.

This feature is deactivated:

  • when the Room's DNS Filtering feature has no domains in its list of allowed domains.
    • in this case, access to any domain in the internet depends solely on the existing firewall rules.

Domain name syntax:

  • A domain name consists of one or more hierarchical parts, delimited by dots, such as "example.com".

  • Tehama's DNS Filtering's allows only domain names to be entered. Do not include "http(s)://" before the domain in the field.

  • Tehama's DNS Filtering infers a wildcard at the start of each domain name. For example, 'example.com' is equivalent to '*.example.com'.

Recommended use-case for DNS Filtering:

Review the requirements and limitations for DNS Filtering at the following link:

DNS Filtering actions:

Requirements and Limitations

Here are the requirements and limitations for Tehama's DNS Filtering feature.

Requirements:

Limitations:

  • Currently, the Multi-Path network access type is only available in Standard Rooms, hence DNS Filtering is only available in Standard Rooms. If you need a Domain Join Room, you will not have access to DNS Filtering.

  • Currently, Rooms with the Multi-Path network access type are not supported by the Connection Test Tool, hence if you select a Multi-Path Room in order to get access to the DNS Filtering feature, you will not have access to the Connection Test Tool.

Allow Windows Updates

A specific use case for DNS Filtering in Tehama, is to allow access to the server for the Windows Server Update Services (WSUS) on Windows Desktops in a Tehama Room, in the case where the Room completely restricts, otherwise, access to the internet.

The following configuration allows the Room's Windows Desktops that have WSUS configured to keep up-to-date with the latest Windows Updates, while maintaining no other internet access.

Configure your Room to allow only access to the Windows Update servers as follows:

  1. Ensure that your Room is a Multi-Path Room.

  2. Access the CONNECTION tab of your Room.
    1. Log in to the Tehama Web UI.
    2. Click on the ROOMS tab.
    3. Click on the name of the Room you want to access custom firewall rules in. You will see the user interface for the Room.
    4. Click on the Room's CONNECTION tab.
  3. Allow Web Access in the Room's firewall rules.
    1. Select the FIREWALL RULES sidebar item.
    2. If necessary, click on the SHOW CUSTOM RULES button.
    3. Click on the ADD RULES dropdown to open it.
    4. Select "Allow Web Access". The ALLOW WEB ACCESS dialog will appear.
    5. Click YES to approve the addition of the shown endpoints. The rules will appear in the list.
  4. Add the following WSUS server domains to the list of allowed domains in the Room's DNS Filtering configuration:
    • dl.delivery.mp.microsoft.com
    • download.microsoft.com
    • download.windowsupdate.com
    • go.microsoft.com
    • ntservicepack.microsoft.com
    • update.microsoft.com
    • windowsupdate.com
    • windowsupdate.microsoft.com
    • wustat.windows.com
      • NOTE: This is the list of WSUS server domains found in section 2.1.1 of Microsoft's instructions on how to configure WSUS - Step 2: Configure WSUS. This list is up-to-date as of July 25th 2022. Navigate to section 2.1.1 to verify that you have the latest domains. Note also that Tehama's DNS Filtering feature does not include "http(s)://" before the domain in the field, and infers wild-carding at the beginning of the domain - for example, 'example.com' is equivalent to '*.example.com'.

    For each of the domains in the above list, from the CONNECTION tab:
    1. Click on the DNS Filtering sidebar item.
    2. Click on + Add domain. A domain field will appear.
    3. Enter the domain into the domain field.

View Allowed Domains

The Org Admin user, the Org Managers and Room Managers (who are members of the Room) can view the list of allowed domains in a Multi-Path Room's DNS Filtering page. Check the description of your custom role, to see if you can view allowed domains in a Room.

View the list of domains allowed by the Tehama DNS Filtering feature.

  1. Log in to the Tehama Web UI.
  2. Click on the ROOMS tab.
  3. Click on the name of the Room whose allowed domains you want to edit. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
  4. Click on the CONNECTION tab.
  5. Click on the DNS Filtering sidebar item. You will see the list of allowed domains directly below the search field on the page. (You will not see this sidebar item if the Room is not a Multi-Path Room.)

    Notes:
    • The feature is active when the Room's DNS Filtering feature has at least one domain in its list of allowed domains. Otherwise the feature is deactivated.

    • Domains in the list consist of one or more hierarchical parts, delimited by dots. For example, "example.com".

    • Tehama's DNS filtering allows only domain names to be entered - "http(s)://" is not included before the domain in the field.

    • Tehama's DNS Filtering infers a wildcard at the start of each domain name in the list. For example, 'example.com' is equivalent to '*.example.com'.

See the DNS Filtering Overview section on this page for details on the behaviour of this feature.

Add Allowed Domain

The Org Admin user, the Org Managers and Room Managers (who are members of the Room) can view and edit the list of allowed domains in a Multi-Path Room's DNS Filtering page. Check the description of your custom role, to see if you can view/edit allowed domains in a Room.

Add a domain to the list of domains allowed by the Tehama DNS Filtering feature.

  1. Log in to the Tehama Web UI.
  2. Click on the ROOMS tab.
  3. Click on the name of the Room whose allowed domains you want to edit. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
  4. Click on the CONNECTION tab.
  5. Click on the DNS Filtering sidebar item. (You will not see this sidebar item if the Room is not a Multi-Path Room.)
  6. Click on + Add domain. A domain field will appear.
  7. Enter the domain into the domain field.
    Notes:
    • Your domain name must consist of one or more hierarchical parts, delimited by dots. For example, "example.com".
    • Tehama's DNS Filtering allows only domain names to be entered. Do not include "http(s)://" in the field.
    • Do not include wildcard characters, such as an asterisk '*', in your domain name. Tehama's DNS Filtering infers a wildcard at the start of each domain name. For example, 'example.com' is equivalent to '*.example.com'.
  8. Click on the checkmark. You will see the domain appear in the list of allowed domains directly below the search field on the page.

    Now that the domain has been added:
    • if the user of a Desktop in the Room tries to access the internet via a domain address that matches this domain, Tehama will resolve the domain to an IP address, and only then proceed to check if access to that IP is allowed by the Room's firewall rules.

Delete Allowed Domain

The Org Admin user, the Org Managers and Room Managers (who are members of the Room) can view and delete domains from the list of allowed domains in a Multi-Path Room's DNS Filtering page. Check the description of your custom role, to see if you can view/delete allowed domains in a Room.

Delete a domain from the list of domains allowed by the Tehama DNS Filtering feature.

  1. Log in to the Tehama Web UI.
  2. Click on the ROOMS tab.
  3. Click on the name of the Room from where you wish to delete an allowed domain. You will see the Room's interface. The tabs you will see depends on the role you have within your organization.
  4. Click on the CONNECTION tab.
  5. Click on the DNS Filtering sidebar item. (You will not see this sidebar item if the Room is not a Multi-Path Room.) You will see the list of allowed domains directly below the search field on the page.
  6. Click on the 'x' in the top right corner of the domain you wish to delete. The DELETE FILTER dialog will appear.
  7. Click DELETE.

    Now that the domain has been deleted:
    • If there is still at least one domain in the list of allowed domains, and the user of a Desktop in the Room tries to access the internet via the domain you just deleted, (and it does not match any of the remaining domains in the list), Tehama will not allow access to that domain.
    • If there are no domains remaining in the list of allowed domains, and the user of a Desktop in the Room tries to access the internet via the domain you just deleted, Tehama will check if the Room's firewall rules will allow access to the internet address for the domain.

Related articles