Jamf Security Cloud Portal Setup Guide

DNS Zones

Save PDF

Save selected topic Save selected topic and subtopics Save all topics

Share to email Copy topic URL

Expand All

Jamf Security Cloud Portal Setup Guide
Setting Up Your Portal
The Jamf Security Cloud Dashboard
Reports
Device Management
Distribution Methods for the Jamf Trust App
Policies
Portal Integrations
Notifications
Organization Units in Jamf Security Cloud
- Organization Unit Hierarchy, Inheritance, and Overrides
Service Controls
Copyright and Trademarks

Table of Contents

DNS Zones

Save PDF

Save selected topic Save selected topic and subtopics Save all topics

Share to email Copy topic URL

Expand All

Last UpdatedMar 27, 2025
3 minute read

Jamf Connect
Jamf Protect
Technical Documentation

DNS Zones are designed to provide trusted devices with "internal" DNS responses, even if those devices are physically outside the organization's network perimeter. By configuring custom DNS Zones, you define your organization's authoritative DNS name servers that should be used for the internal domains that you own. With this, each DNS request is sent to one of the defined name servers using a pseudo-random load balancing algorithm.

Each zone is comprised of:

A zone name
A set of domains that identify the zone. DNS queries matching these domains will be matched against this custom DNS Zone configuration. A given domain can only belong to a single Custom DNS Zone.
The IP addresses of your network's Authoritative Name Servers that are able to service DNS requests for the defined domains
The Interconnect Gateways used to reach the defined name server IP addresses to resolve client DNS requests

Configuring Custom DNS Zones

Custom DNS Zones are used to resolve hostnames belonging to a specific set of domains via one or more authoritative name servers within your network.

Requirements

IP addresses of authoritative name servers
Configured Interconnect Gateways through which those servers are available
Important:
Misconfiguring a zone may result in lost connectivity to some or all of your private applications and workloads for your end users.
Make sure that all defined domains are resolvable by the authoritative name servers defined within each zone. Ensure that all authoritative name servers are available via the defined interconnect gateways.

In Jamf Security Cloud, navigate to Integrations > DNS zones.
Click Add zone.
Enter a Zone name.
For each domain, type the domain name and click Add new domain.
Note:
Jamf Security Cloud supports domains of any length, including just a wildcard *. This would match any DNS query, but would significantly increase the load on your internal DNS name servers.
Reverse DNS lookups are supported by specifying the domains with .in-addr.arpa and .ipv6.arpa suffixes.
Define one or more Authoritative Name Servers:
1. Enter a server IP Address.
2. Select the Interconnect Gateway that will be used to reach that server.
3. Click Add.
Note:
A name server IP Address can only be defined once per DNS Zone.
If the Nearest Data Center egress Gateway is selected, the IP address of the Authoritative Name Server must be publicly reachable and not fall into any reserved private IP ranges for security reasons; for example, RFC1918.
Click Save.
Repeat these steps for other zones as required.

Each DNS query matching the list of domains in the Custom DNS Zone will be routed to one of the configured Authoritative Name Servers using a pseudo-random load-balancing algorithm.

Note:

If your internal infrastructure changes, you must edit and reconfigure your Custom DNS Zones as well. Changes that may require you to reconfigure your zones include:

Adding a new Authoritative Name Server into your infrastructure
Changing the IP Address of the existing Authoritative DNS Server
Adding a new application with a domain name that doesn't match the domains of the Custom DNS Zone
Changing a domain name of one of your applications, if the new name doesn't match the domains of the Custom DNS Zone

You can now proceed to configure your access policy.

Troubleshooting Custom DNS Zones

If you experience DNS lookup failures within a custom DNS zone, verify that DNS requests are being received by Jamf's servers and forwarded to the correct DNS resolver in your network.

Ensure that the custom DNS zone is configured properly in Jamf Security Cloud. For DNS zones being forwarded to your network, edit the configuration to determine which IPsec gateway is being used to forward DNS requests to your network's authoritative name servers.
Confirm that the IPsec gateway is active and connecting to Jamf Security Cloud by navigating to Integrations > Access gateways and reviewing the gateway's status.
Review the Zero Trust Network Access (ZTNA) DNS logs in Jamf Security Cloud to determine whether requests are being forwarded correctly. You can access these logs by navigating to Reports > Access > Event logs. To view the IP address of the DNS resolver that provided the response, click the three dots at the top right of the Event logs table and select the Resolver checkbox.

Jamf Security Cloud Portal Setup Guide

DNS Zones

Contents

DNS Zones

On This Topic

For an enhanced experience and access to additional features, log in to the Jamf Learning Hub with your Jamf ID.