Configure Network DNS and WINS Servers

You must configure network (global) DNS and WINS servers on the Firebox for some features to work. You configure the network DNS and WINS servers in the Firebox network configuration separate from the interface settings. Network DNS and WINS servers are also known as global DNS and WINS servers.

Multiple Firebox features and clients use the network DNS and WINS servers to resolve DNS queries:

  • Network clients on the trusted or optional networks
  • IPSec VPNs
  • Mobile VPN clients
    Mobile VPN clients use only the first two DNS servers in the list.
  • Subscription services

Best Practices

We recommend these best practices for network DNS and WINS servers:

  • Configure at least two DNS servers, one with a private IP address, and another with a public IP address. We recommend that you list the private DNS server first, so it has higher precedence. If you do not have an internal DNS server, we recommend that you specify two external DNS servers from different providers for redundancy.
  • Make sure your network DNS and WINS servers are accessible from the Firebox trusted interface. 
  • Use only an internal DNS and WINS server for DHCP and Mobile VPN. This is to make sure that you do not create policies with configuration properties that make it difficult for your users to connect to the DNS server.
  • For granular control of DNS forwarding traffic, you can edit the Allow DNS-Forwarding policy in Fireware v12.9 or higher. For example, you might want to exclude IoT devices from DNS forwarding. For more information about this policy, go to Conditional DNS Forwarding.

For more information about Firebox configuration best practices, go to Firebox Configuration Best Practices.

DNS Server Precedence

The Firebox uses the network DNS and WINS servers unless you specify a different DNS/WINS server elsewhere in the Firebox configuration.

  • You can specify different DNS and WINS servers in the Mobile VPN with SSL settings. For more information, go to Manually Configure the Firebox for Mobile VPN with SSL.
  • (Fireware v12.2.1 or higher) You can specify different DNS and WINS servers in the Mobile VPN with IKEv2, Mobile VPN with IPSec, and Mobile VPN with L2TP settings. For more information, go to DNS and Mobile VPNs.
  • You can specify different DNS and WINS servers when you configure an interface to use the Firebox as a DHCP server. For more information, go to Configure an IPv4 DHCP Server.
  • You can configure DNS Forwarding rules that send DNS queries for specified domains to specified DNS servers. For more information, go to About DNS Forwarding.
  • (Firebox v12.1.1 or higher) If you enable the DNSWatch feature on your Firebox, some DNS queries are sent to DNSWatch DNS servers instead of the network DNS server. For more information about DNS server precedence, go to About DNS on the Firebox. For information about DNSWatch, go to About WatchGuard DNSWatch.

Configure Network DNS and WINS Servers

  1. Select Network > Interfaces.
    The Interfaces configuration page appears.
  2. Select the DNS/WINS tab.

Screen shot of the Network Interfaces page, DNS Servers and WINS Servers section

  1. (Optional) In the Domain Name text box, type a domain name that a DHCP client adds to unqualified host names. This setting corresponds to DHCP option 15.
  2. In the DNS Server text box, type the primary IP address for the DNS server.
  3. Click Add.
  4. (Optional) Repeat Steps 4–5 to specify up to three DNS servers.
    If you specify a local DNS server, make sure that server appears first in the list.
  5. (Optional) To specify conditional DNS forwarding rules:
    1. Select Enable DNS Forwarding.
    2. From the drop-down list, select Listen on all Trusted, Custom, or Optional interfaces or Listen on selected interfaces.
    3. If you select Listen on selected interfaces, click Select, select one or more interfaces, and click OK.
      For more information about DNS forwarding, go to Conditional DNS Forwarding.
  6. (Optional) To log DNS connections from internal hosts to the Firebox, select the Enable logging check box.
    The log entry includes the details when the Firebox forwards the connection.
  7. In the WINS Server text box, type the primary address of the WINS server.
  8. Click Add.
  9. (Optional) Repeat Steps 9–10 to specify up to two WINS servers.
  10. Click Save.
  1. Select Network > Configuration.
    The Network Configuration dialog box appears.
  2. Select the WINS/DNS tab.
    The information on the WINS/DNS tab appears.

Screen shot of the Network Configuration dialog box WINS/DNS tab

  1. (Optional) In the Domain Name text box, type a domain name that a DHCP client adds to unqualified host names. This setting corresponds to DHCP option 15.
  2. In the DNS Servers section, click Add.
  3. In the IP Address text box, type the primary IP address for the DNS server.
  4. Click OK.
  5. (Optional) Repeat Steps 4–6 to specify up to three DNS servers.
    If you specify a local DNS server, make sure that server appears first in the list.
  6. (Optional) To specify conditional forwarding rules:
    1. Select Enable DNS Forwarding.
    2. From the drop-down list, select Listen on all Trusted, Custom, or Optional interfaces or Listen on selected interfaces
    3. If you select Listen on selected interfaces, click Select, select one or more interfaces, and click OK.
      For more information about DNS forwarding, go to Conditional DNS Forwarding.
  7. (Optional) To log DNS connections from internal hosts to the Firebox, select the Enable DNS Forwarding Logging check box.
    The log entry includes the details when the Firebox forwards the connection.
  8. In the WINS Servers text boxes, type the primary and secondary IPv4 address of the WINS servers.
  9. Click OK.

Related Topics

About DNS on the Firebox

About Network Modes and Interfaces

Common Interface Settings

DNS and Mobile VPNs