All network resources in an IPv4 network have an IP address, such as 10.0.2.25. DNS (Domain Name System) allows users to get access to resources by name. When a user attempts to get access to a device by a name, such as www.example.net, the client computer sends a request to its configured DNS server, which returns the IP address associated with that device name. A device name that is linked to one or more IP addresses is known as a hostname.
A hostname that includes the full domain path, such as mail.example.net, is called a FQDN (Fully Qualified Domain Name). Some hostnames, such as mail, do not include the domain path.
How DNS Works Across a VPN
When a Mobile VPN client establishes a VPN tunnel to a Firebox, the Firebox assigns a virtual IP address to the client computer. DNS servers are assigned to clients based on the Firebox settings you specify.
For all mobile VPN methods in Fireware v12.2.1 or higher, you can select one of these options in the mobile VPN configuration:
Assign the network DNS/WINS settings to mobile clients
If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.
If you have a local DNS server, it must appear first in the list. This is required so that local domain resolution works for mobile VPN users. You can also specify a domain name in the network settings. The domain name is added as a suffix to all DNS requests from VPN clients. If there is no response to the DNS request with the added suffix, the device sends a second DNS request without the suffix. For example, if a client tries to browse to hostname, and the DNS suffix is example.net, the device tries to resolve hostname.example.net. If a domain name is not specified, VPN clients must use a FQDN, such as mail.example.net, to send traffic to a resource.
By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.
Do not assign DNS or WINS settings to mobile clients
If you select this option, clients do not receive DNS or WINS settings from the Firebox.
Assign these settings to mobile clients
If you select this option, mobile clients receive the settings you specify in this section. Different mobile VPN methods have different available settings:
- Mobile VPN with IPSec — Specify a domain suffix, up to two DNS servers, and up to two WINS servers.
- Mobile VPN with SSL — Specify a domain suffix, up to two DNS servers, and up to two WINS servers.
- Mobile VPN with IKEv2 — Specify up to two DNS servers and up to two WINS servers. You cannot specify a domain suffix.
- Mobile VPN with L2TP — Specify up to two DNS servers. You cannot specify WINS servers or a domain suffix.
If DNSWatch is enabled, and you select the Assign the network DNS/WINS settings to mobile clientssetting in your mobile VPN configuration:
- If you have a local DNS server, it must appear first in the Network DNS server list on the Firebox.
- The Firebox assigns the local DNS server and one DNSWatch DNS server to mobile VPN clients.
If DNSWatch is enabled, and you select the Assign these settings to mobile clientssetting in your mobile VPN configuration:
- If you have a local DNS server, you must specify it as the first DNS server in your mobile VPN configuration.
- You must also specify one DNSWatch DNS server in the mobile VPN configuration.
- If the DNSWatch IP address changes, you must manually update the Mobile VPN settings with the new IP addresses. You can get a DNSWatch IP addresses from the DNSWatch Dashboard, which includes all regional DNSWatch IP addresses. For information about the DNSWatch Dashboard, see DNSWatch Dashboard.
To see a configuration example for a network with DNSWatch and mobile VPN users, see DNSWatch on Firebox Configuration Examples.
In Fireware v12.2 or lower, DNS works differently for mobile VPN configurations. For more information, see DNS in Mobile VPN Configurations (Fireware v12.2 or lower) in the WatchGuard Knowledge Base.