About DNS on the Firebox

You can configure different kinds of DNS servers and services on your Firebox. Each DNS server and service has a different purpose and is configured in a different location in the Firebox settings. Some DNS servers take precedence over others.

With the available DNS servers and services, you can:

For information about DNS best practices, see Firebox Configuration Best Practices.

For information about how to troubleshoot DNS issues, see Troubleshoot Network Connectivity.

DNS Servers on Your Firebox

Your Firebox includes DNS servers for DNS forwarding. You cannot configure the Firebox itself to function as a DNS server. Instead, you configure the Firebox to forward requests to the DNS servers that you specify.

The available DNS servers on your Firebox include:

DNS Resolver and Cache

If you enable the DNS Forwarding or DNSWatch features, a DNS resolver (127.0.0.1) is automatically activated on the Firebox. The resolver caches the results of DNS queries up to 10,000 entries.

To resolve a DNS request, the Firebox resolver first searches its own cache. If cached information does not exist for the request, the Firebox forwards the request to another DNS server based on the DNS settings you specified on the Firebox.

To disable the DNS cache, in Policy Manager (Fireware v12.7 or higher):

  1. Select Network > Configuration > WINS/DNS.
  2. Clear the Enable DNS Cache check box.

To disable the DNS cache, in Fireware Web UI (Fireware v12.7 or higher):

  1. Select Network > Interfaces > DNS/WINS.
  2. Clear the Enable DNS Cache check box.

In Fireware v12.6.4, you must use the CLI to disable the cache. Specify the command no ip dns cache enable. For more information about this command, see the Fireware CLI Reference.

After you disable the DNS cache, the Firebox does not cache DNS queries or resolve DNS queries from information in the cache. For example, if you have a DNS forwarding rule for the domain example.com, the Firebox forwards that request to another DNS server based on the DNS settings you specified on the Firebox.

DNSWatch DNS servers also have a cache that stores one week of data.

DNS Server Information

In Firebox System Manager, you can see the DNS servers your device uses on the Front Panel > Interfaces > DNS Servers tab. For more information, see Device Status.

In Fireware Web UI, you can see the DNS servers your device uses on the Dashboard > Interfaces > Detail page. For more information, see Interface Information and SD-WAN Monitoring.

The Firebox DNS resolver appears as 127.0.0.1 in the list of DNS servers on these status pages. Only the Firebox DNS resolver and up to three DNS servers appear here and are available to resolve DNS requests.

If DNSWatch is enabled, and a local DNS server appears first in the Network DNS server list, DNSWatch DNS servers appear after the local DNS server on these status pages. In this case, other DNS servers that appear in the Network DNS server list do not appear here and are not used for DNS resolution.

For example, if you have DNSWatch enabled, and a local DNS server appears first in Network DNS server list, DNS servers appear on these status pages in this order:

  • 127.0.0.1 (Firebox resolver)
  • Local DNS server
  • DNSWatch DNS server 1
  • DNSWatch DNS server 2

In this case, public DNS servers configured in the Network DNS server list do not appear on the status page and are not used for DNS resolution.

See Also

About DNS (Domain Name System)

About DNS Forwarding

About the Dynamic DNS Service

About WatchGuard DNSWatch