Configure Firebox DNS Settings

Applies To: Cloud-managed Fireboxes

This feature is only available to participants in the WatchGuard Cloud Beta program.

A cloud-managed Firebox must connect to a Domain Name System (DNS) server to translate domain names to IP addresses.

These Firebox features and clients use DNS settings to resolve DNS queries:

  • Firebox connection to WatchGuard Cloud
  • Security services
  • Network clients on internal and guest networks

To configure DNS settings, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the Networking section, click the DNS tile.
    The DNS configuration page opens.

Screen shot of the DNS settings for a cloud-managed Firebox

For a cloud-managed Firebox, you can configure these DNS settings:

  • Public DNS — Add DNS servers to resolve all domain names.
  • Internal DNS —Add DNS servers to resolve DNS requests from internal networks for specific domains.
  • DNSWatch — Enable DNSWatch to block connections to malicious or filtered domains.

Configure Public DNS Servers

The Public DNS servers are the default DNS servers for all networks and local processes on the Firebox. For a cloud-managed Firebox that does not use DHCP on the external network, the Firebox configuration must include at least one public DNS server. You can add a maximum of three public DNS servers.

If you add a public DNS server to a Firebox that uses DHCP on the external network, the Firebox uses the DNS server you configure before it uses DNS servers assigned through DHCP.

We recommend these best practices for public DNS servers:

  • Configure at least two public DNS servers, one with a private IP address, and another with a public IP address.
  • We recommend that you list the private DNS server first, so it has higher precedence. If you do not have a private DNS server, we recommend that you specify two public DNS servers from different providers for redundancy.
  • Make sure your public DNS servers are accessible from the Firebox internal networks.

To add a public DNS server, from WatchGuard Cloud:

  1. In the Firebox Device Configuration page, click the DNS tile.
    The DNS configuration page opens.
  2. On the Public DNS Server tab, click Add Public DNS Server.
    The Public DNS dialog box opens.

Screen shot of the Public DNS Server setting

  1. In the Public DNS Server text box, type the IP address of the DNS server.
  2. Click Add.
    The IP address is added to the Public DNS Server list.
  3. To save the configuration update to the cloud, click Save.

The Firebox uses the public DNS servers in the order they appear in the list. If you have multiple DNS servers, you can change the order of servers in the list.

To change the order of a public DNS server, from WatchGuard Cloud:

  1. In the Public DNS Server list, click the move handle for the server you want to move.

Screen shot of the Public DNS Server list with two servers configured

  1. Drag the DNS server up or down in the list.
  2. To save the configuration update to the cloud, click Save.

To remove a public DNS server, from WatchGuard Cloud:

  1. In the row for the DNS server you want to delete, click .
  2. To save the configuration update to the cloud, click Save.

Configure Internal DNS Servers

Add an internal DNS server when you want the cloud-managed Firebox to forward DNS requests from hosts on an internal network to a specific DNS server, based on the domain name in the DNS request. For DNS requests from internal networks, the internal DNS server takes precedence over the public DNS server and the DNSWatch server.

When you configure an internal DNS server, you specify these settings:

Domain Name

The domain name in DNS queries received from internal networks

DNS Server

The IP address of the DNS server

If you add two internal DNS servers for the same domain name, the Firebox sends DNS requests for that domain to the highest one in the list first.

To add an internal DNS Server, from WatchGuard Cloud:

  1. In the Firebox Device Configuration page, click the DNS tile.

    The DNS configuration page opens.
  2. Select the Internal DNS tab.
  3. Click Add Internal DNS Server.
    The Internal DNS dialog box opens.

Screen shot of the Internal DNS settings

  1. In the Domain Name text box, type the domain name.
  2. In the Internal DNS Server text box, type the IP address of the DNS server to resolve DNS requests for the specified domain name.
  3. Click Add.
    The Internal DNS Server is added to the list.

Screen shot of the DNS settings, Internal DNS tab

  1. To save configuration changes to the cloud, click Save.

To edit an internal DNS server, from WatchGuard Cloud:

  1. In the DNS configuration page, select the Internal DNS tab.
  2. In the row for the DNS server you want to edit, click the Domain Name.
    The Internal DNS dialog box opens with the current settings.

Screen shot of the Internal DNS settings

  1. Edit the settings and click Update.
    The updated settings appear in the Internal DNS Server list.
  2. To save the configuration update to the cloud, click Save.

To remove an internal DNS server, from WatchGuard Cloud:

  1. In the DNS configuration page, select the Internal DNS tab.
  2. In the row for the DNS server you want to delete, click .
  3. To save configuration changes to the cloud, click Save.

Enable DNSWatch

DNSWatch is a cloud-based subscription service that monitors DNS requests regardless of the connection type, protocol, or port. It blocks connections to domains that are categorized as malicious and can block connections to domains based on content filters.

When DNSWatch is enabled on a cloud-managed Firebox, and the Firebox receives a DNS query on an internal network, it uses DNSWatch as the DNS resolver. If the requested domain is on the malicious or filtered domains list, DNSWatch returns a block page instead of the requested content. Otherwise, DNSWatch returns the requested content to the user.

For information about DNSWatch, see:

To enable DNSWatch, from WatchGuard Cloud:

  1. In the Firebox Device Configuration page, click the DNS tile.

    The DNS configuration page opens.
  2. Select the DNSWatch tab.
  3. To enable or disable DNSWatch, click the Enable DNSWatch toggle.

Screen shot of the DNS configuration, DNSWatch tab

  1. To save configuration changes to the cloud, click Save.

See Also

About Firebox Networking Settings