DNSWatch Firebox Configuration Examples

Before you enable DNSWatch, it is important to plan its integration into your network. This topic explains how DNSWatch integrates with:

  • Networks with a local DNS server
  • Networks without a local DNS server
  • Mobile VPN configurations
  • Multiple internal networks
  • BOVPN configurations

When you enable DNSWatch on the Firebox, you configure a DNSWatch enforcement setting, which controls which outbound DNS requests the Firebox redirects to DNSWatch. If you prefer to disable DNSWatch enforcement, and you have a local DNS server, go to Example 4 — Local DNS server included in the Firebox DNS list; DNSWatch enforcement enabled. In all other examples in this topic, DNSWatch enforcement is enabled.

For more information about the enforcement setting, go to Enable DNSWatch on Your Firebox.

Example Configurations

These examples describe how to configure DNSWatch and other DNS settings on the Firebox and on your network. In these examples, your Firebox is in Mixed Routing mode, which is the default network mode.

If you want DNSWatch to protect your network, but you do not want to enable DNSWatch enforcement, you can use the configuration in this example. This configuration is the most common.

Diagram of a network with DNSWatch (Configuration Example 4)

Network configuration

DHCP

In this example, you have DHCP clients on your network, and the DHCP server is either the Firebox or a local DHCP server.

If the Firebox is your DHCP server, enable DNS forwarding on the Firebox. When DNS forwarding is enabled, and when the Firebox is configured as a DHCP server, the Firebox gives its own IP address as the DNS server to DHCP clients.

If you have a local DHCP server, you can configure it to give the local DNS server to DHCP clients.

DNS

On your local DNS server, we recommend that you configure a forwarder for the Firebox IP address.

In our example, we configure a forwarder for the Firebox IP address 10.0.1.1 in Windows Server 2016.

Screen shot of the DNS Forwarders configuration in Windows Server 2016

Optionally, you can configure forwarders that point to DNSWatch IP addresses.

Screen shot of the DNS Forwarders configuration in Windows Server 2016

You can get these IP addresses from the DNSWatch Dashboard, which includes all regional DNSWatch IP addresses. DNSWatch IP addresses resolve to the dnswatch.watchguard.com domain. For information about the DNSWatch Dashboard, go to DNSWatch Dashboard. If DNSWatch IP addresses change, you must manually update these forwarders with the new IP addresses.

If you specify DNSWatch servers as forwarders, we recommend that you do not configure forwarders other than DNSWatch IP addresses. If your DNS server is configured to contact DNS forwarders simultaneously instead of sequentially, some DNS requests might be sent to DNS servers other than DNSWatch. This means your users might not always be protected by DNSWatch.

It is possible that the cache on your local DNS server contains entries for domains that DNSWatch considers malicious. We recommend that you flush the DNS cache on any local DNS servers after you enable DNSWatch. When you flush the cache, DNS requests for external resources are resolved by DNSWatch instead of the local DNS server cache.

For more information about DNS forwarding settings on your server, go to the documentation for your operating system.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

Firebox Configuration

You have one internal network on the Trusted interface.

The Network (Global) Server list includes your local DNS server and public DNS servers. Common reasons to include the local DNS server in the Firebox configuration are:

  • You want the Firebox to distribute the local DNS server with DHCP, but an Interface DNS server is not configured on the Firebox.
  • You want mobile VPN users to use the local DNS server specified in the Network (Global) Server list for local domain resolution.
    For a DNSWatch configuration example for mobile VPN users, go to Example 5 in this topic.

The local DNS server must appear first in the list so DNS resolution for the local domain works.

  • 10.0.2.53
  • 8.8.8.8
  • 4.2.2.1

Screen shot of the Interface DNS server settings

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to servers in other regions for a domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice.

For example, you can configure a DNS forwarding rule that forwards user requests for example.com to 8.8.8.8 instead of DNSWatch.

Screen shot of the DNS Forwarding settings

DNSWatch includes an exception list that prevents DNS requests for WatchGuard service domains from being sent to DNSWatch. When enforcement is disabled, this exception list is not used. If you disable DNSWatch enforcement, we recommend that you configure conditional DNS forwarding rules for the WatchGuard service domains watchguard.com, ctmail.com, and rp.cloud.threatseeker.com if you use these services. The rules you configure make sure that these services connect to the closest regional server.

Screen shot of the DNS Forwarding settings

DNSWatch Configuration

Disable DNSWatch enforcement. When DNSWatch enforcement is disabled, DNS requests from hosts on your network are not sent to DNSWatch unless the host is manually configured to use DNSWatch DNS servers. However, the Firebox uses DNSWatch for its own DNS requests.

Screen shot of the DNSWatch configuration settings on the Firebox

DNS requests for Internal Resources

If a host on your network sends a DNS request for an internal resource on your network, the local DNS server resolves the request.

If the Firebox itself generates a request for a local resource, the Firebox resolver forwards the request to the local DNS server.

DNS requests for External Resources

If the Firebox is configured as a DHCP server, and DNS forwarding is enabled

If a host on your network sends a DNS request for an external resource, the request is forwarded to the Firebox IP address. The Firebox resolves the request from cached information, forwards the request to a DNS server specified in a conditional DNS forwarding rule, or forwards the request to DNSWatch.

If you have a local DHCP server, and you configured a forwarder on your local DNS server for the Firebox IP address

If a host on your network sends a DNS request for an external resource, the local DNS server redirects the request to the Firebox. The Firebox resolves the request from cached information or forwards the request to DNSWatch.

If you also have DNS forwarding enabled on the Firebox, and the DNS request matches a DNS forwarding rule on the Firebox, the Firebox forwards the request to the DNS server specified in the rule.

If you have a local DHCP server, and you configured forwarders on your local DNS server for the DNSWatch IP addresses

If a host on your network sends a DNS request for an external resource, the local DNS server redirects the request to DNSWatch.

If you also have DNS forwarding enabled on the Firebox, and the DNS request matches a DNS forwarding rule on the Firebox, the Firebox forwards the request to the DNS server specified in the rule.

In this example, your network does not include a local DNS server.

In the DNSWatch settings, enable enforcement. When enforcement is enabled, the Firebox monitors port 53 traffic on your network. The Firebox redirects all outbound DNS requests from your network to DNSWatch, even if hosts on your network are manually configured with different DNS servers.

Diagram of a network with DNSWatch (Configuration Example 1)

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to regional servers in other regions for a specific domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice.

For example, you can configure a DNS forwarding rule that forwards user requests for example.com to 8.8.8.8 instead of DNSWatch.

Screen shot of the DNS Forwarding settings

In this example, your network has this configuration.

Diagram of a network with DNSWatch (Configuration Example 2)

Local network configuration

Your local DNS server has forwarders for public DNS servers. In our example, we configure forwarders for 8.8.8.8 and 4.2.2.1 in Windows Server 2016.

Screen shot of the Forwarders tab in Windows Server 2016

It is possible that the cache on your local DNS server contains entries for domains that DNSWatch considers malicious. We recommend that you flush the DNS cache on any local DNS servers after you enable DNSWatch.

For more information about DNS forwarding settings on your server, go to the documentation for your operating system.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

Firebox Configuration

You have one internal network on the Trusted interface.

The Network (Global) Server list includes only public DNS servers:

  • 8.8.8.8
  • 4.2.2.1

Screen shot of the Network DNS Server list on the Firebox

Optionally, you can configure a DNS forwarding rule if the Firebox itself must resolve local host names.

Screen shot of the DNS Forwarding settings

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to servers in other regions for a domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice.

For example, you can configure a DNS forwarding rule that forwards user requests for a domain to 8.8.8.8 instead of DNSWatch.

DNSWatch Configuration

In the DNSWatch settings, enable enforcement. When enforcement is enabled, the Firebox monitors port 53 traffic on your network. The Firebox redirects all outbound DNS requests from your network to DNSWatch, even if hosts on your network are manually configured with different DNS servers.

Screen shot of the DNSWatch page on the Firebox

DNS Requests for Internal Resources

If a host on your network sends a DNS request for an internal resource on your network, the local DNS server resolves the request.

If the Firebox itself generates a request for a local resource on the example.com network, the Firebox uses the DNS forwarding rule you configured for example.com to forward the request to the local DNS server, which is 10.0.2.53 in our example.

DNS Requests for External Resources

If a host on your network sends a DNS request for an external resource, the local DNS server redirects the request to the public IP address forwarders configured on the server. However, because DNSWatch enforcement is enabled, when the Firebox sees this traffic, the Firebox resolves the request from cached information or forwards the request to DNSWatch.

In this example, your network has this configuration.

Diagram of a network with DNSWatch (Configuration Example 3)

Local network configuration

Your local DNS server has forwarders for public DNS servers. In our example, we configure forwarders for 8.8.8.8 and 4.2.2.1 in Windows Server 2016.

Screen shot of the Forwarders tab in Windows Server 2016

It is possible that the cache on your local DNS server contains entries for domains that DNSWatch considers malicious. We recommend that you flush the DNS cache on any local DNS servers after you enable DNSWatch. When you flush the cache, DNS requests for external resources are resolved by DNSWatch instead of the local DNS server cache.

For more information about DNS forwarding settings on your server, go to the documentation for your operating system.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

Firebox Configuration

You have one internal network on the Trusted interface.

The Network (Global) Server list includes your local DNS server and public DNS servers. Common reasons to include the local DNS server in the Firebox configuration are:

  • You want the Firebox to hand out the local DNS server with DHCP, but an Interface DNS server is not configured on the Firebox.
  • You want mobile VPN users to use the local DNS server specified in the Network (Global) Server list for local domain resolution.
    For a DNSWatch configuration example for mobile VPN users, go to Example 5 in this topic.

The local DNS server must appear first in the list so that DNS resolution for your local domain works.

  • 10.0.2.53
  • 8.8.8.8
  • 4.2.2.1

Screen shot of the Network DNS Server list on the Firebox

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to regional servers in other regions for a domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice.

For example, you can configure a DNS forwarding rule that forwards user requests for example.com to 8.8.8.8 instead of DNSWatch.

Screen shot of the DNS Forwarding settings

DNSWatch Configuration

In the DNSWatch settings, enable enforcement. When enforcement is enabled, the Firebox monitors port 53 traffic on your network. The Firebox redirects all outbound DNS requests from your network to DNSWatch, even if hosts on your network are manually configured with different DNS servers.

Screen shot of the DNSWatch page on the Firebox

DNS requests for Internal Resources

If a host on your network sends a DNS request for an internal resource on your network, the local DNS server resolves the request.

If the Firebox itself generates a request for a local resource, the Firebox resolver forwards the request to the local DNS server.

DNS requests for External Resources

If a host on your network sends a DNS request for an external resource, the local DNS server redirects the request to the public IP address forwarders configured on the server. However, because DNSWatch enforcement is enabled, when the Firebox sees this traffic, the Firebox resolves the request from cached information or forwards the request to DNSWatch.

To protect mobile VPN users with DNSWatch, you must have a local DNS server on your network. This is required because DNSWatch enforcement applies only to hosts on your Trusted, Optional, or Custom interfaces. Mobile VPN user traffic arrives on the External interface, which means DNSWatch enforcement is not applied to that traffic. However, if mobile VPN users send DNS requests to a local DNS server behind your Firebox, DNSWatch enforcement applies.

In this example, your network has this configuration.

Diagram of a network with DNSWatch (Configuration Example 5)

Local network configuration

Your local DNS server has forwarders for public DNS servers. In our example, we configure forwarders for 8.8.8.8 and 4.2.2.1 in Windows Server 2016.

Screen shot of the DNS Forwarders configuration in Windows Server 2016

It is possible that the cache on your local DNS server contains entries for domains that DNSWatch considers malicious. We recommend that you flush the DNS cache on any local DNS servers after you enable DNSWatch. When you flush the cache, DNS requests for external resources are resolved by DNSWatch instead of the local DNS server cache.

For more information about DNS forwarding settings on your server, go to the documentation for your operating system.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

Firebox Configuration

You have one internal network on the Trusted interface.

The Network (Global) Server list includes your local DNS server and public DNS servers:

  • 10.0.2.53
  • 8.8.8.8
  • 4.2.2.1

One or more mobile VPN features are enabled: Mobile VPN with IKEv2, Mobile VPN with SSL, Mobile VPN with L2TP, or Mobile VPN with IPSec.

If any mobile VPN features on the Firebox are configured to use the Network (Global) DNS server list, the local DNS server must appear first in the list so DNS resolution for the local domain works for mobile users.

Screen shot of the Interface DNS server settings

When a mobile VPN client connects to the VPN, the client is assigned DNS server settings based on settings you configured on the Firebox:

DNS for mobile VPN users in Fireware v12.2.1 or higher

  • In our example, mobile VPN clients use the Network DNS Server list on the Firebox.
    This means mobile VPN clients get the first DNS server configured in the Network DNS Server list on the Firebox (10.0.2.53 in our example) and one DNSWatch DNS server. In all mobile VPN configurations, this is the default DNS setting.
  • If you would rather not use the Network DNS Server list, you can select to specify DNS server settings that apply only to mobile VPN users.
    In mobile VPN configuration, make sure the local DNS server appears first in the list. You must also specify a DNSWatch DNS server. If the DNSWatch IP address changes, you must manually update the DNS settings in the mobile VPN configuration with the new IP addresses. Tip!

DNS for mobile VPN users in Fireware v12.2 or lower

  • In our example, Mobile VPN with IPSec, Mobile VPN with L2TP, and Mobile VPN with IKEv2 clients get the first DNS server configured in the Network DNS Server list on the Firebox (10.0.2.53 in our example) and one DNSWatch DNS server.
  • You cannot select to specify DNS server settings that apply only to mobile IKEv2, IPSec, or L2TP VPN users.
  • For Mobile VPN with SSL, mobile VPN clients get the DNS servers configured in the Mobile VPN with SSL settings.
    In the Mobile VPN with SSL configuration, make sure the local DNS server appears first in the list. You must also specify a DNSWatch DNS server. If the DNSWatch IP address changes, you must manually update the Mobile VPN with SSL settings with the new IP addresses. Tip!

For more information about DNS settings for mobile VPN clients, go to DNS and Mobile VPNs.

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to regional servers in other regions for a domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice. For example, you can configure a DNS forwarding rule that forwards user requests for example.com to 8.8.8.8 instead of DNSWatch.

Screen shot of the DNS Forwarding settings

DNSWatch Configuration

In the DNSWatch settings, enable enforcement. This setting applies only to internal networks connected to the Trusted, Optional, and Custom interfaces. When enforcement is enabled, the Firebox monitors port 53 traffic on your network. The Firebox redirects all outbound DNS requests from your network to DNSWatch, even if hosts on your network are manually configured with different DNS servers.

DNSWatch enforcement does not apply to the External interface, which means it does not apply to mobile VPN users. However, mobile VPN users are protected by DNSWatch if they send DNS requests through the VPN tunnel to your local DNS server.

In our example, when Mobile VPN clients connect to the Firebox, they get the local DNS server 10.0.2.53.

Screen shot of the DNSWatch configuration on the Firebox

In this example, Mobile VPN clients also receive one DNSWatch DNS server IP address. If the local DNS server behind your Firebox is not available, the mobile VPN client sends DNS requests to the DNSWatch DNS server. However, DNSWatch acts only as a public DNS resolver in this case. DNSWatch cannot prevent connections to known malicious domains because the DNS requests originate from mobile VPN users instead of a Firebox registered for DNSWatch.

DNS Requests for Internal and External Resources

For both full- and split-tunnel VPN connections, all DNS requests from mobile users go through the VPN tunnel to the Firebox. If the local DNS server behind the Firebox cannot resolve the request, it addresses the request to the first DNS forwarder in its list, which is 8.8.8.8 in our example.

However, because DNSWatch enforcement is enabled, the Firebox monitors network traffic on port 53. The Firebox resolver looks at its cache to resolve the request. If cached information cannot resolve the request, the Firebox forwarders the request to DNSWatch.

In this example, your network has this configuration.

Diagram of a network with DNSWatch (Configuration Example 6)

Local network configuration

On Network A, you have a local DNS server with forwarders for public DNS servers. Hosts on Network B use the local DNS server on Network A.

The local DNS server has forwarders for 8.8.8.8 and 4.2.2.1. In our example, we configure forwarders in Windows Server 2016.

Screen shot of the DNS Forwarders settings in Windows Server 2016

It is possible that the cache on your local DNS server contains entries for domains that DNSWatch considers malicious. We recommend that you flush the DNS cache on any local DNS servers after you enable DNSWatch. When you flush the cache, DNS requests for external resources are resolved by DNSWatch instead of the local DNS server cache.

For more information about DNS forwarding settings on your server, go to the documentation for your operating system.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

Firebox Configuration

You have two internal networks on one Firebox.

The Network (Global) Server list includes your local DNS server and public DNS servers. The local DNS server must appear first in the list.

  • 10.0.2.53
  • 8.8.8.8
  • 4.2.2.1

Screen shot of the Interface DNS server settings

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to regional servers in other regions for a domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice.

For example, you can configure a DNS forwarding rule that forwards user requests for example.com to 8.8.8.8 instead of DNSWatch.

Screen shot of the DNS Forwarding settings

Your Firebox configuration must also have a policy that allows DNS traffic between Network A and Network B.

DNSWatch Configuration

In the DNSWatch settings, enable enforcement. When enforcement is enabled, the Firebox monitors port 53 traffic on your network. The Firebox redirects all outbound DNS requests from your network to DNSWatch, even if hosts on your network are manually configured with different DNS servers.

Screen shot of the DNSWatch settings

DNS Requests for Internal Resources

If a host on network A sends a DNS request for an internal resource, the local DNS server on network A resolves the request.

If a host on network B sends a DNS request for an internal resource, the local DNS server on network A resolves the request.

If the Firebox itself generates a request for a local resource, the Firebox resolver forwards the request to the local DNS server on network A.

DNS Requests for External Resources

If a host on Network A or Network B sends a DNS request for an external resource, the local DNS server on Network A redirects the request to the public IP address forwarders configured on the server. However, because DNSWatch enforcement is enabled, when the Firebox sees this traffic, the Firebox resolves the request from cached information or forwards the request to DNSWatch.

In this example, Sites A and B are connected by a BOVPN. Only Site A has a local DNS server.

To be protected by DNSWatch, users at Site B must send DNS requests to the local DNS server at Site A. This is required because DNSWatch enforcement applies only to hosts on your Trusted, Optional, and Custom interfaces. BOVPN traffic arrives on the External interface, which means DNSWatch enforcement is not applied to that traffic. However, if BOVPN users send DNS requests to a local DNS server behind your Firebox, DNSWatch enforcement applies.

In BOVPN configurations, if Site A has a Total Security Suite subscription and DNSWatch is enabled, DNSWatch protects other sites that send DNS requests to Site A, even if those sites only have a Basic Security Suite subscription.

Your network has the configuration in this diagram.

Diagram of a network with DNSWatch (Configuration Example 7)

Local network configuration

At Site A, you have a local DNS server with forwarders for public DNS servers. Hosts at Site B use the local DNS server at Site A.

On the local DNS server, which has Windows Server 2016 in our example, we configure forwarders for 8.8.8.8 and 4.2.2.1.

Screen shot of the DNS Forwarders setting in Windows Server 2016

It is possible that the cache on your local DNS server contains entries for domains that DNSWatch considers malicious. We recommend that you flush the DNS cache on any local DNS servers after you enable DNSWatch. When you flush the cache, DNS requests for external resources are resolved by DNSWatch instead of the local DNS server cache.

For more information about DNS forwarding settings on your server, go to the documentation for your operating system.

DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.

Firebox Configuration

You have a Firebox at Site A and another Firebox at Site B.

Both Fireboxes have:

  • One internal network on the Trusted interface
  • BOVPN gateway configured on an External interface

The Network (Global) Server list on both Fireboxes includes the local DNS server at Site A and public DNS servers. The local DNS server must appear first in the list.

  • 10.0.2.53
  • 8.8.8.8
  • 4.2.2.1

Screen shot of the Interface DNS server settings

DNSWatch Configuration

DNSWatch is enabled on the Site A Firebox.

In the DNSWatch settings on the Site A Firebox, enable enforcement. This setting applies only to internal networks connected to the Trusted, Optional, and Custom interfaces. When enforcement is enabled, the Firebox monitors port 53 traffic on your network. The Firebox redirects all outbound DNS requests from your network to DNSWatch, even if hosts on your network are manually configured with different DNS servers.

DNSWatch enforcement does not apply to the External interface. However, BOVPN users are protected by DNSWatch if they send DNS requests through the VPN tunnel to your local DNS server.

Screen shot of the DNSWatch settings

DNSWatch has regional servers in the United States (US East), EU (Ireland), and APAC (Japan and Australia). If it is important for your users to connect to servers in other regions for a domain, you can add a conditional DNS forwarding rule. In the rule, specify the domain name and a public DNS server of your choice.

For example, you can configure a DNS forwarding rule that forwards user requests for example.com to 8.8.8.8 instead of DNSWatch.

Screen shot of the DNS Forwarding settings

DNS Requests for Internal Resources

If a host at Site A sends a DNS request for an internal resource, the local DNS server resolves the request.

If a host at Site B sends a DNS request for an internal resource, the local DNS server on network at Site A resolves the request.

If the Firebox itself generates a request for a local resource, the Firebox resolver forwards the request to the local DNS server at Site A.

DNS Requests for External Resources

If a host at Site A or Site B sends a DNS request for an external resource, the local DNS server on Network A redirects the request to the public IP address forwarders configured on the server. However, because DNSWatch enforcement is enabled, when the Firebox sees this traffic, the Firebox resolves the request from cached information or forwards the request to DNSWatch.

Related Topics

About WatchGuard DNSWatch

About DNS on the Firebox

DNSWatch DNS Settings Precedence on a Firebox

Monitor DNSWatch Service Status