WatchGuard DNS Best Practice Setup Guide

A healthy Domain Name System (DNS) is critical for a successful WatchGuard XTM deployment. It is important to know that the WatchGuard XTM cannot function as a DNS Server. However, it relies on DNS for certain functions, such as resolving the address for SpamBlocker.
  • Best practice for all but the smallest of organisations, is to run a DNS Server for your internal network, usually Microsoft DNS or similar.
  • Internal DNS should then forward requests it cannot answer to an Internet DNS Server, usually provided by your Internet Service Provider (ISP).
  • DNS Settings for clients are usually provided by the DHCP Server when giving out an IP address.
  • To set DNS settings in Policy Manager, go to Network>> Configuration>> DNS/WINS
If you use the DHCP Server on the WatchGuard, then ensure the settings are correct. If left blank, WatchGuard will use ones from the DNS/WINS settings above.
Finally, ensure that your Firewall policy only allows the internal DNS servers to query the specific external DNS servers using UDP 53 - otherwise port 53 can be used by Trojans and other Malware.

Add Feedback