www.thunderdns.io     info@thunderdns.io       Las Vegas, United States

Thunder DNS User Guide

Quick Setup

Login to the Thunder DNS Server
Thunder DNS is a virtual server appliance. It is designed to be deployed on a bare metal server or can be deployed on a cloud VM. Server installation instructions for Thunder DNS will vary depending on the operating system and server type. See www.thunderdns.io/resources for detailed instructions on server setup. 
 
 
Access the User Interface (UI) of the Thunder DNS server by opening a web browser and going to port 8001 on the server's IP address (i.e https://SERVER_IP_ADDRESS:8001). The server IP address is set to DHCP by default and the IP address can be found on the server's console. The fallback IP address if no DHCP is present is 10.255.254.1.
 
Once the UI has been accessed, create and verify a user account and enter the license key to log into the server. The license key is only required on the first login.
Verify Network Settings
Upon login, the UI will be at the status page. Since no devices are using Thunder DNS yet, the counters will be at zero and very little information will be available.
 
The UI navigation is at the top of the screen and has the Status, DNS, L2TP, Network, and Account pages. First, navigate to the Network page and verify the server network settings are properly configured.
Configure Allowed Subnets
Allowed subnets control which devices are allowed to use the Thunder DNS server to resolve their queries. Thunder DNS drops all queries from devices that are not listed on the allowed subnet list.
Navigate to the DNS page to setup the allowed subnets that will point to the Thunder DNS server. 0.0.0.0/0 will allow any device on all subnets to use Thunder DNS.
Enter Manual Filters (if desired)
Devices can use Thunder DNS once the network settings have been verified and the allowed subnets have been setup. Thunder DNS will resolve the devices' DNS queries and also protect users against suspicious threats.
 
Network administrators can also set manual filters to limit the domains that Thunder DNS will resolve. Admins can block specific domains, IPs, or specific categories of web traffic.  
 

Blacklisting Domains & IPs

Thunder DNS enables Network Admins to optimize their network traffic at three distinct layers.
  • Layer 1 (All Thunder Servers): All Thunder DNS deployment automatically receive network intelligence feeds used to inspect all queries running on the network.
  • Layer 2 (Server Specific): The second layer is custom manual filters that are applied to all devices using a specific Thunder DNS server to resolve their DNS queries. 
  • Layer 3 (User Specific): The third optimization layer is filtering using L2TP or custom DHCP integrations. Filters applied at this layer will only impact specific users that are pointing to Thunder DNS servers. 
Automatic Blacklisting
Automatic blacklisting is used to provide security against potential/known cyber threats and it is enabled by default. However, it can be turned off by disabling the real time inspection feature on the DNS page. Thunder DNS will continue to resolve queries and manual entries (whitelists/blacklists) will still be applied when real time inspection is disabled. 
Manual Blacklist & Whitelist by Domain
Manual blacklisting allows admins to create their own custom blacklist. This is often required for local compliance regulations. Manual blacklisting allows network admins to control the domains that Thunder DNS will resolve for all devices using the Thunder DNS servers. Common applications of manual blacklisting is to restrict traffic for religious or educational purposes. In addition, many governments require enforcement of regional specific blacklists. To blacklist a domain, simply enter the domain name (i.e www.yahoo.com) in the blacklist window, click the add button, and then click the apply button at the bottom of the screen. 
Manual Blacklisting by IP or Country IP
Thunder DNS inspects each query two times. The first inspection occurs when the domain query is sent to the Thunder DNS server and the domain is checked against the domain blacklist and threat intelligence database. The second  inspection occurs after the domain has been resolved to an IP address. The IP address of the resolved query is inspected prior to sending the response back to the client device.
Similar to blacklisting by domain, Thunder DNS allows the admin to blacklist by IP address or filter out traffic from IP blocks of specific countries. To block by IP address, go to the IP Filter Tab, enter the IP address, click "Add" and then click the "Apply" button.  
Verifying Blacklist is working properly
Changes to the DNS page are applied immediately; however, it may take some time for the changes to propagate on the network due to local cacheing. One way to verify the changes have taken place is to use the dig command on a device that is using Thunder DNS as its primary DNS server. 
Blacklist Not Working
Blacklist Working
One way to verify the changes have taken place is to use the dig command on a device that is using Thunder DNS as its primary DNS server. Instructions below:
  • Open a command prompt on the device that is using Thunder DNS as its primary DNS server
  • Type "dig @"SERVER_IP_ADDRESS" "DOMAIN" (i.e dig @22.2.2.2 www.abc.com)
  • Look for the answer section of the result and see the listed IP's.
  • If the Answer Section lists the Thunder DNS Server IP address then the blacklist is in effect.  
    • Note: If the device is not properly setup to use Thunder DNS as its DNS server, then it will not respond with the Thunder DNS server IP even if the blacklist is setup properly
 

CATEGORY FILTERING

Thunder DNS categorizes over 20+ million domains into 80+ content categories. Network admins can use these content categories to blacklist content by category type and to better understand the type of content being consumed on their network. 
Thunder DNS categorizes every domain that it resolves. These category filters can be applied for all users using the DNS page or can be applied for specific users by using L2TP tunnels or through DHCP integration.
 
Navigate to the Category Filters tab on the DNS page to setup a category filter. Click "Add Category Filter" and a pop up window will appear with many content categories. The admin can select individual categories to filter or filter entire category groups. Once selected, click "Apply" at the bottom of the window and then click "Apply" at the bottom of the DNS page. Filtering with L2TP tunnels can be setup in the fashion on the L2TP page.
 

L2TP Tunneling

Layer Two Tunneling Protocol (L2TP) is designed to create secure tunnels over the Internet. Thunder DNS uses L2TP to enable Thunder DNS to secure remote locations behind a private NAT and to allow admins to create unique filtering rules which are specific to each tunnel.   
L2TP Tunnels are natively supported in Thunder DNS. Setup instructions below:
 
  • Enable L2TP Tunneling on Thunder DNS
    • Navigate to the L2TP section on the UI
    • Enable L2TP Site Filtering
    • Enable IPSec Encryption (recommended but not required)
    • Enter IPSec Pre-Shared Key
    • Create an L2TP IP Address Pool that can be assigned to new L2TP devices
    • Click "Apply" at the bottom of the page
  • Setup a new device for L2TP Tunneling in Thunder DNS
    • Go to the "Devices" tab in the L2TP page​
    • Enter a new device name, L2TP username, and L2TP password
    • Assign an IP address from the drop down menu
    • Click "Add" and then click "Apply" at the bottom of the page
  • Create a new filter template in Thunder DNS
    • Go to the Filter Templates tab in the L2TP page​
    • Click "Create New Template" and a pop-up window will appear
    • Add blacklist filters for the tunnel. The pop up window will allow the admin to setup custom Domain, IP, and Category filters per L2TP tunnel.
    • Click "Apply" at the bottom of the window 
      • Note: Each filter template can be used for multiple devices. It is not required to create a new template for each new device. 
  • Map the device, DSCP marking, and Filter Template in Thunder DNS
    • Go to the ​L2TP Mapping tab in the L2TP page
    • Select the new device from the drop down
    • Select the DSCP marking from the drop down. The DSCP marking is a special tag that marks each tunnel (similar to a VLAN). Thunder DNS supports up to 64 DSCP markings so each device could have 64 different filters applied depending on the DSCP marking.
    • Select the Filter Template from the drop down
    • Click "Add" and then click "Apply"
  • Configure the L2TP tunnel settings on the third party device
    • Go to the User Interface of the 3rd party device and setup the L2TP tunnel​.
    • Ensure the L2TP settings match on the device and Thunder DNS server; including L2TP Username, L2TP Password, L2TP Port, IP address, and DSCP marking.
      • Note: The internal Thunder DNS IP address for L2TP connections is statically set to 10.255.255.100 ​
 
 

Custom Block Page

Thunder DNS allows network admins to redirect blocked domains to their own branded URL. The block page may or may not resolve depending on the domain and browser that is being queried.
By default, Thunder DNS re-directs to the Thunder DNS block page. Instructions to update the block page can be found below.
  • Navigate to the Account page on the Thunder DNS server UI
  • Under the settings section, enter the new custom block page URL
  • Click "Apply" in the box and then click "Apply" at the bottom of the Account page

Multi User Settings 

Thunder DNS allows for multiple user accounts to be setup on each Thunder DNS server. Each user account has admin privileges and can modify the server configuration. 
New admin users must be added to each individual server manually. Instructions for adding a new admin user can be found below.
  • Have the New Admin create a User Account on the Server
    • Open a web browser and enter Https://SERVER_IP_ADDRESS:8001​
    • Have the New Admin click "Create Account"
    • The New Admin must complete the new user account form and click "Submit"
    • Once submitted, the New Admin must verify the account through their email address by clicking "Verify"
      • If the email does not arrive, have the New Admin check their Spam folder as the email may be mistaken as Spam​
  • Have the Existing Admin log into the Server and Add the new Admin's Email Address
    • Open a web browser and enter Https://SERVER_IP_ADDRESS:8001
    • Have the Existing Admin log into the server and then navigate to the Account page in the UI
    • Add the email address that is associated with the New Admin's user account
    • Click "Apply" 
    • Have the Existing Admin log out and allow the New Admin to log into the server