Configure the DNS suffix
BlastShield runs its own private DNS service. This allows you to access protected endpoints and Host Agents using a hostname as well as by IP address. The Orchestrator is configured with a default DNS suffix, which is "blastshield.io". The DNS suffix is configurable and you can configure one or multiple DNS suffixes.
There is also the facility to configure how to handle names that are not hosted in Blastshield for the DNS domains so that any name not contained in the BlastShield network can be resolved using an upstream DNS. This allows public facing websites to work while being connected through BlastShield. This is managed by configuring the option "resolve unknown records" on the DNS suffix, which is explained below.
Process Summary
Enter the suffix(es) that you wish to use in the Orchestrator.
Upload the Orchestrator certificate.
Configure the corresponding DNS names on your endpoints
Procedure
Navigate to the Network Settings
Login to the Orchestrator and click the Network Settings button on the left hand menu. The Network Settings window will open, as shown below. This Orchestrator is using the default DNS suffix of "blastshield.io".
Enter the DNS suffix(es)
Enter the DNS suffix(es) you want to use into the DNS suffix box in the settings.
To configure how to resolve unknown records, click the three dots on the right and choose more settings.
Under the Resolve unknown records using: heading, select the desired option. You can choose between none, use the Orchestrator DNS, or use a DNS server running on another node. If you are using a particular node to resolve unknown records, then select it from the drop-down menu.
Click on OK.
If you are using more than one DNS suffix then enter the additional suffixes into the Additional DNS Suffixes box.
To configure how to resolve unknown records for an additional suffix, click the three dots on the right and choose more settings
Under the Resolve unknown records using: heading, select the desired option. You can choose between none, use the Orchestrator DNS, or use a DNS server running on another node. If you are using a particular node to resolve unknown records, then select it from the drop-down menu.
Click on OK.
Click Save changes to save the DNS suffix settings .
Upload the certificate(s) for your hostnames
In the Orchestrator Certificate Dialogue box in the Network settings, upload either a signed certificate for a previously downloaded signing request, or a zip archive containing both a private key and a matching certificate. Refer to the following article for details. Upload a certificate to the orchestrator
Configure DNS names for your Endpoints and Agents
Navigate to the Agent menu to open the Agent Settings page.
In the DNS Hostnames box, enter the desired hostname.
When you configure an Endpoint's or Agent's DNS name you can either set it to a short name i.e "foo". Then you can resolve it as usual with "foo.blastshield.io" (if blastshield.io is your primary DNS suffix)
If you want to use one of your additional suffixes you must type in the full name, for example "foo.myothersuffix.io"
You can also make an endpoint appear in both suffixes by using a comma separated list of names such as "foo, foo.myothersuffix.io".
In the example above, the Agent will have two DNS hostname. These are 'syslog.primary-DNS-suffix;' and 'syslog.myothersuffix.io' where 'myothersuffix.io' is a secondary DNS suffix.
Your Endpoints and Agents should now be reachable by both the configured DNS hostnames and by IP address.
Caution
To access a node using the primary suffix you can use the short name or the full name. For example, "foo" and "foo.blastshield.io" (if "blastshield.io" is the primary DNS suffix and "foo" is the endpoint's hostname).
To access a node using the additional suffix you must always use the full name. For example, "foo.myothersuffix.io" (if "myothersuffix.io" is the additional DNS suffix and "foo" is the endpoint's hostname).
The Orchestrator will always use the primary DNS suffix.