DNSWatch DNS Settings Precedence on a Firebox
When the DNSWatch enforcement setting is enabled on a Firebox, DNSWatch servers take precedence over these DNS servers:
- Network (Global) DNS servers configured on your Firebox
DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list. - Interface DNS servers configured on your Firebox
- DNS servers assigned by your ISP (when the Firebox is a DHCP or PPPoE client)
- Forwarders to public DNS servers configured on a local DNS server
- DNS servers manually configured on a network host
For more information about DNS servers configured on your Firebox, go to About DNS on the Firebox.
These factors affect whether the Fireboxes sends DNS requests from your network to DNSWatch:
- Contents of the Firebox DNS resolver cache Tip!
- Conditional DNS forwarding rules configured on the Firebox
- DNSWatch enforcement setting Tip!
For information about the Firebox DNS resolver cache and conditional DNS forwarding, go to About DNS Forwarding.
For information about DNSWatch enforcement options, go to Enable DNSWatch on Your Firebox.
For DNSWatch configuration examples, go to DNSWatch Firebox Configuration Examples.
DNSWatch DNS Servers
When you enable DNSWatch, two DNSWatch IP addresses are added to your Firebox configuration. If the primary DNSWatch server is not available, the Firebox tries to contact the secondary DNSWatch server.
When you enable DNSWatch enforcement on an internal interface, the Firebox redirects all outbound DNS requests from that interface to DNSWatch DNS servers.
Network (Global) DNS Server
The Network (Global) DNS server is the default DNS server for all interfaces and local processes on the Firebox. Your Firebox sends DNS requests to the first server in the Network DNS server list before other servers in the list.
If the Network DNS server list includes a local DNS server, the local DNS server must appear first in the list. DNSWatch does not take precedence over a local DNS server if that server appears first in the Network DNS server list.
When DNSWatch is enabled with enforcement disabled:
- DNSWatch DNS servers take precedence over DNS servers in the Network DNS server list on the Firebox for DNS requests initiated by the Firebox itself, or for DNS requests addressed to the Firebox IP address. There is one exception: DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list.
- DNS requests addressed to IP addresses other than the Firebox IP address or DNSWatch IP addresses are not sent to DNSWatch.
- If the DNS forwarding feature is disabled, DNS requests initiated by or addressed to the Firebox are sent to DNSWatch.
- If the DNS forwarding feature is enabled, DNS requests initiated by or addressed to the Firebox are resolved by the Firebox cache, sent to DNS servers that are specified in conditional DNS forwarding rules, or sent to DNSWatch (in that order).
When DNSWatch is enabled with enforcement enabled:
- DNSWatch DNS servers take precedence over DNS servers in the Network DNS server list on the Firebox. There is one exception: DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list.
- DNS requests initiated or received by the Firebox are resolved by the Firebox cache, sent to DNS servers specified in conditional DNS forwarding rules, or sent to DNSWatch (in that order).
Interface DNS Server
The interface DNS server is an optional DNS server that you can specify when you configure an interface as a DHCP server.
If DNSWatch is enabled with enforcement disabled, and an interface DNS server is specified, DNS requests are sent to the interface DNS server instead of DNSWatch.
When DNSWatch is enabled with enforcement enabled, and an interface DNS server is specified:
- DNSWatch DNS servers take precedence over the DNS servers specified in the interface settings.
- DNS requests for external resources are resolved by the Firebox cache, sent to DNS servers specified in conditional DNS forwarding rules, or sent to DNSWatch (in that order).
DNS Server from an ISP
When your Firebox is configured as a DHCP or PPPoE client, it receives DNS server settings from your ISP.
When DNSWatch is enabled:
- DNSWatch DNS servers take precedence over servers from your ISP.
- Your Firebox gets DNS servers from your ISP and saves that information.
Forwarders on a Local DNS Server
Local DNS servers resolve queries for hostnames on your private networks and contact other DNS servers to resolve queries for public hostnames. There are two methods that your DNS server can use to resolve queries for public hostnames: forwarders and root hints.
DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.
If you have a local DNS server with forwarders configured:
If DNSWatch enforcement is enabled
DNSWatch takes precedence over public DNS forwarders specified on your local DNS server.
Because the Firebox monitors port 53 traffic when enforcement is enabled, DNS requests for public domains are sent to DNSWatch even if the request was addressed to a public forwarder specified in your local DNS server settings.
If DNSWatch enforcement is disabled, and the Firebox IP address is specified as forwarder on your local DNS server
DNS requests for public domains sent to the local DNS server are forwarded to the Firebox, which forwards the requests to DNSWatch.
Manually Configured DNS Servers on a Host
A host on your network might be manually configured with DNS server settings.
If DNSWatch enforcement is enabled
DNSWatch takes precedence over public DNS servers manually configured on the host.
Because the Firebox monitors port 53 traffic when enforcement is enabled, DNS requests for public domains are sent to DNSWatch even if the request was addressed to a different DNS server.
If DNSWatch enforcement is disabled, and host is configured with public DNS servers
DNS requests for public domains are sent to the DNS server specified in the host settings. DNS requests are not redirected to DNSWatch.
To protect this host with DNSWatch, if you do not want to enable DNSWatch enforcement, we recommend you change the manually configured DNS servers on that host to the Firebox IP address or the DNSWatch server IP addresses.
If DNSWatch enforcement is disabled, and the Firebox IP address is configured as a DNS server in the host settings
DNS requests for public domains are sent to the Firebox, which forwards the requests to DNSWatch.
DNSWatch Firebox Configuration Examples
Monitor DNSWatch Service Status