DNSWatch Configuration

When you enable DNSWatch on the Firebox, you configure a DNSWatch enforcement setting, which controls which outbound DNS requests the Firebox redirects to DNSWatch. For most networks, we recommend that you enable DNSWatch enforcement on all interfaces. If you prefer to disable enforcement, and you have a local DNS server, see Example 4 — Local DNS server; DNSWatch enforcement disabled.

For more information about the enforcement setting, see Enable DNSWatch on Your Firebox.

Example Configurations

These examples describe how to configure DNSWatch and other DNS settings on the Firebox and on your network.

Example 4 — Local DNS server; DNSWatch enforcement disabled

If you want DNSWatch to protect your network, but you do not want to enable DNSWatch enforcement, you can use the configuration in this example.

Diagram of a network with DNSWatch (Configuration Example 4)

Network configuration

DHCP

In this example, you have DHCP clients on your network, and the DHCP server is either the Firebox or a local DHCP server.

If the Firebox is your DHCP server, enable DNS forwarding on the Firebox. When DNS forwarding is enabled, and when the Firebox is configured as a DHCP server, the Firebox gives its own IP address as the DNS server to DHCP clients.

If you have a local DHCP server, you can configure it to give the local DNS server to DHCP clients.

DNS

On your local DNS server, we recommend that you configure a forwarder for the Firebox IP address.

In our example, we configure a forwarder for the Firebox IP address 10.0.1.1 in Windows Server 2016.

Screen shot of the DNS Forwarders configuration in Windows Server 2016

Optionally, you can configure forwarders that point to DNSWatch IP addresses.

Screen shot of the DNS Forwarders configuration in Windows Server 2016

You can get these IP addresses from the DNSWatch Web UI, which includes all regional DNSWatch IP addresses. DNSWatch IP addresses resolve to the dnswatch.watchguard.com domain. For a list of current DNSWatch resolvers, see DNSWatch Resolvers. If DNSWatch IP addresses change, you must manually update these forwarders with the new IP addresses.

We recommend that you do not configure forwarders other than DNSWatch IP addresses. If your DNS server is configured to contact DNS forwarders simultaneously instead of sequentially, some DNS requests might be sent to DNS servers other than DNSWatch. This means your users will not always be protected by DNSWatch.

It is possible that the cache on your local DNS server contains entries for domains that DNSWatch considers malicious. We recommend that you flush the DNS cache on any local DNS servers after you enable DNSWatch. When you flush the cache, DNS requests for external resources are resolved by DNSWatch instead of the local DNS server cache.

For more information about DNS forwarding settings on your server, see the documentation for your operating system.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

Firebox Configuration

You have one internal network on the Trusted interface.

The Network (Global) Server list includes your local DNS server and public DNS servers. Common reasons to include the local DNS server in the Firebox configuration are:

  • You want the Firebox to distribute the local DNS server with DHCP, but an Interface DNS server is not configured on the Firebox.
  • You want to enable local domain resolution for Mobile VPN with IPSec, Mobile VPN with IKEv2, or Mobile VPN with L2TP users.

The local DNS server must appear first in the list so DNS resolution for the local domain works.

  • 10.0.2.53
  • 8.8.8.8
  • 4.2.2.1

Screen shot of the Interface DNS server settings

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to servers in other regions for a domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice.

For example, you can configure a DNS forwarding rule that forwards user requests for example.com to 8.8.8.8 instead of DNSWatch.

Screen shot of the DNS Forwarding settings

DNSWatch includes an exception list that prevents DNS requests for WatchGuard service domains from being sent to DNSWatch. When enforcement is disabled, this exception list is not used. If you disable DNSWatch enforcement, we recommend that you configure conditional DNS forwarding rules for the WatchGuard service domains watchguard.com, ctmail.com, and rp.cloud.threatseeker.com if you use these services. The rules you configure make sure that these services connect to the closest regional server.

Screen shot of the DNS Forwarding settings

DNSWatch Configuration

Disable DNSWatch enforcement. When DNSWatch enforcement is disabled, DNS requests from hosts on your network are not sent to DNSWatch unless the host is manually configured to use DNSWatch DNS servers. However, the Firebox uses DNSWatch for its own DNS requests.

Screen shot of the DNSWatch configuration settings on the Firebox

DNS requests for Internal Resources

If a host on your network sends a DNS request for an internal resource on your network, the local DNS server resolves the request.

If the Firebox itself generates a request for a local resource, the Firebox resolver forwards the request to the local DNS server.

DNS requests for External Resources

If the Firebox is configured as a DHCP server, and DNS forwarding is enabled

If a host on your network sends a DNS request for an external resource, the request is forwarded to the Firebox IP address. The Firebox resolves the request from cached information, forwards the request to a DNS server specified in a conditional DNS forwarding rule, or forwards the request to DNSWatch.

If you have a local DHCP server, and you configured a forwarder on your local DNS server for the Firebox IP address

If a host on your network sends a DNS request for an external resource, the local DNS server redirects the request to the Firebox. The Firebox resolves the request from cached information or forwards the request to DNSWatch.

If you also have DNS forwarding enabled on the Firebox, and the DNS request matches a DNS forwarding rule on the Firebox, the Firebox forwards the request to the DNS server specified in the rule.

If you have a local DHCP server, and you configured forwarders on your local DNS server for the DNSWatch IP addresses

If a host on your network sends a DNS request for an external resource, the local DNS server redirects the request to DNSWatch.

If you also have DNS forwarding enabled on the Firebox, and the DNS request matches a DNS forwarding rule on the Firebox, the Firebox forwards the request to the DNS server specified in the rule.

See Also

About WatchGuard DNSWatch

About DNS on the Firebox

DNSWatch DNS Settings Precedence on a Firebox

Monitor DNSWatch Service Status