Creating a DNS Security Profile helps to guard against DNS-related attacks.

Create a DNS Security profile, and configure TTL in the DNS Security Profile. You can do the following after you set up the DNS Security Profile:

  • Snoop on DNS responses for a VM, or a group of VMs on the transport node to associate FQDN with IP addresses.

  • Create a group with VMs as members, and apply DNS profiles to groups.

Note: Only ESXi is supported in the current release.

Procedure

  1. Navigate to Security > General Settings > Firewall > DNS Security.
  2. Click Add Profile.
  3. Enter the following values:
    Option Description
    Profile Name Provide a profile name.
    TTL

    This field captures the Time to live for the DNS cache entry in seconds. You have the following options:

    TTL 0 - cached entry never expires.

    TTL 1 to 3599 - invalid

    TTL 3600 to 864000 – valid

    TTL left empty – automatic TTL, set from the DNS response packet.

    Note: DNS Security Profile has a default DNS cache timeout of 24 hours.
    Applied To You can select a group based on any criteria to apply the DNS security profile to.
    Note: Only one DNS server profile is applied to a VM.
    Tags

    Optional. Assign a tag and scope to the DNS profile to make it easy to search. See Add Tags to an NSX Object for more information.

  4. Click Save.

What to do next

After saving, click Manage Group to Profile Precedence to manage group to profile binding precedence.