Creating a DNS Security Profile helps to guard against DNS-related attacks.

You can do the following after you set up the DNS Security Profile:

  • Snoop on DNS responses for a VM, or a group of VMs on the transport node to associate FQDN with IP addresses.

  • Add global and default DNS server information, and apply it to all VMs that are using DFW rules.

  • Specify selected DNS server information for selected VMs.

  • Apply DNS profiles to groups.

Note: Only ESXi is supported in the current release.


  1. Navigate to Security > General Settings > Firewall > DNS Security.
  2. Click Add Profile.
  3. Enter the following values:
    Option Description
    Profile Name Provide a profile name.

    This field captures the Time to live for the DNS cache entry in seconds. You have the following options:

    TTL 0 - cached entry never expires.

    TTL 1 to 3599 - invalid

    TTL 3600 to 864000 – valid

    TTL left empty – automatic TTL, set from the DNS response packet.

    Note: DNS Security Profile has a default DNS cache timeout of 24 hours.
    Applied To You can select a group based on any criteria to apply the DNS security profile to.
    Note: Only one DNS server profile is applied to a VM.

    Optional. Assign a tag and scope to the DNS profile to make it easy to search. See Add Tags to an Object for more information.

  4. Click Save.

What to do next

After saving, click Manage Group to Profile Precedence to manage group to profile binding precedence.