Precedence for DNSWatch in WatchGuard Cloud and a Firebox

Applies To: DNSWatch in WatchGuard Cloud This topic applies to DNSWatch in WatchGuard Cloud.

This feature is only available to participants in the WatchGuard Cloud Beta program.

References to DNSWatch in this topic relate to DNSWatch in WatchGuard Cloud. To learn about the legacy DNSWatch UI, go to About WatchGuard DNSWatch in Fireware Help.

When DNSWatch is enabled on a Firebox, DNSWatch servers take precedence over these DNS servers:

• Network (Global) DNS servers configured on your Firebox (DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list)
  
• Interface DNS servers configured on your Firebox
• DNS servers assigned by your ISP (when the Firebox is a DHCP or PPPoE client)
• Forwarders to public DNS servers configured on a local DNS server
• DNS servers manually configured on a network host

These factors affect whether the Fireboxes sends DNS requests from your network to DNSWatch:

• Contents of the Firebox DNS resolver cache Tip! The Firebox DNS resolver runs only if DNSWatch enforcement is enabled, or if the DNS forwarding feature is enabled.
  
• Conditional DNS forwarding rules configured on the Firebox
• DNSWatch enforcement setting Tip! When enforcement is enabled, the Firebox monitors port 53 traffic on your network. The Firebox redirects all outbound DNS requests from your network to DNSWatch, even if hosts on your network are manually configured with different DNS servers.
  

DNSWatch DNS Servers

When enabled on your Firebox, DNSWatch in WatchGuard Cloud adds two DNSWatch IP addresses to your Firebox configuration:

• 166.117.187.59
• 13.248.160.135

When one of the DNSWatch servers is not available, the Firebox contacts the other DNSWatch server.

When you enable DNSWatch enforcement on an internal interface, the Firebox redirects all outbound DNS requests from that interface to DNSWatch DNS servers.

Network (Global) DNS Server

The Network (Global) DNS server is the default DNS server for all interfaces and local processes on the Firebox. Your Firebox sends DNS requests to the first server in the Network DNS server list before other servers in the list.

If the Network DNS server list includes a local DNS server, the local DNS server must appear first in the list. DNSWatch does not take precedence over a local DNS server if that server appears first in the Network DNS server list.

When DNSWatch is enabled with enforcement disabled:

• DNSWatch DNS servers take precedence over DNS servers in the Network DNS server list on the Firebox for DNS requests initiated by the Firebox itself, or for DNS requests addressed to the Firebox IP address. There is one exception: DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list.
• DNS requests addressed to IP addresses other than the Firebox IP address or DNSWatch IP addresses are not sent to DNSWatch.
• If the DNS forwarding feature is disabled, DNS requests initiated by or addressed to the Firebox are sent to DNSWatch.
• If the DNS forwarding feature is enabled, DNS requests initiated by or addressed to the Firebox are resolved by the Firebox cache, sent to DNS servers that are specified in conditional DNS forwarding rules, or sent to DNSWatch (in that order).

When DNSWatch is enabled with enforcement enabled:

• DNSWatch DNS servers take precedence over DNS servers in the Network DNS server list on the Firebox. There is one exception: DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list.
• DNS requests initiated or received by the Firebox are resolved by the Firebox cache, sent to DNS servers specified in conditional DNS forwarding rules, or sent to DNSWatch (in that order).

Interface DNS Server

The interface DNS server is an optional DNS server that you can specify when you configure an interface as a DHCP server.

If DNSWatch is enabled with enforcement disabled, and an interface DNS server is specified, DNS requests are sent to the interface DNS server instead of DNSWatch.

When DNSWatch is enabled with enforcement enabled, and an interface DNS server is specified:

• DNSWatch DNS servers take precedence over the DNS servers specified in the interface settings.
• DNS requests for external resources are resolved by the Firebox cache, sent to DNS servers specified in conditional DNS forwarding rules, or sent to DNSWatch (in that order).

DNS Server from an ISP

When your Firebox is configured as a DHCP or PPPoE client, it receives DNS server settings from your ISP.

When DNSWatch is enabled:

• DNSWatch DNS servers take precedence over servers from your ISP.
• Your Firebox gets DNS servers from your ISP and saves that information.

Forwarders on a Local DNS Server

Local DNS servers resolve queries for hostnames on your private networks and contact other DNS servers to resolve queries for public hostnames. There are two methods that your DNS server can use to resolve queries for public hostnames: forwarders and root hints.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

If you have a local DNS server with forwarders configured:

If DNSWatch enforcement is enabled

DNSWatch takes precedence over public DNS forwarders specified on your local DNS server.

Because the Firebox monitors port 53 traffic when enforcement is enabled, DNS requests for public domains are sent to DNSWatch even if the request was addressed to a public forwarder specified in your local DNS server settings.

Public DNS servers configured as DNS forwarders in Windows Server 2016

If DNSWatch enforcement is disabled, and the Firebox IP address is specified as forwarder on your local DNS server

DNS requests for public domains sent to the local DNS server are forwarded to the Firebox, which forwards the requests to DNSWatch.

Firebox configured as a DNS forwarder in Windows Server 2016

Manually Configured DNS Servers on a Host

A host on your network might be manually configured with DNS server settings.

If DNSWatch enforcement is enabled

DNSWatch takes precedence over public DNS servers manually configured on the host.

Because the Firebox monitors port 53 traffic when enforcement is enabled, DNS requests for public domains are sent to DNSWatch even if the request was addressed to a different DNS server.

If DNSWatch enforcement is disabled, and host is configured with public DNS servers

DNS requests for public domains are sent to the DNS server specified in the host settings. DNS requests are not redirected to DNSWatch.

To protect this host with DNSWatch, if you do not want to enable DNSWatch enforcement, we recommend you change the manually configured DNS servers on that host to the Firebox IP address or the DNSWatch server IP addresses.

If DNSWatch enforcement is disabled, and the Firebox IP address is configured as a DNS server in the host settings

DNS requests for public domains are sent to the Firebox, which forwards the requests to DNSWatch.

Related Topics

Quick Start — Set Up DNSWatch in WatchGuard Cloud

Add a DNSWatch Configuration in WatchGuard Cloud