Proper way to set up a global local DNS Server
Good day all. I am an end-user of the T70 Firewall since they were brand new. I am in need of properly setting up my DNS server that applies to all networks on my unit. Here is what I have done so far: I have formatted a Raspberry Pi for use as a DNS Server (Pihole), and assigned it to a reserved address on 192.168.111.3 on my "Trusted" network. I then went to the DNS tab on my Interfaces section of Networks and specified that address as the ONLY DNS server. I then checked "enable DNS Forwarding" and had the T70 listen on "Trusted, Optional and Custom" interfaces. I did NOT specify a Domain name sinece my server is local to the T70 on the "Trusted" interface. I am running three networks on this unit, (2 wireless and one wired) with each network having its own IP range (Trusted 192.168.111.x, Optional 192.168.0.x, and Trusted Wireless 192.168.100.x). Did I do this right? Do I need to check the "DNS Forwarding" tab? I am hopeful it is this easy, as I want all networks to use this local DNS Server and not external network ones. I apologize if I sound like a newbie, but I am NOT a Network Professional, this unit is in my home and I bought it for its robust Firewall capabilities. Thank you all for answering my qyestion.
Comments
"enable DNS Forwarding" option doesn't hurt here.
It will only be used when some internal device is set up the firewall interface IP addr as its DNS server IP addr.
Devices which get their IP addr & DNS info from the firewall DHCP function will get the DNS server IP addr which you have set up on the WINS/DNS tab.
You can turn on Logging on your DNS policy to see what IP addrs are sending DNS packets to the Internet. Presumably it will be only the Pihole.
Thank you, does it sound like I set this up correctly? I cannot add a "domain name" since it is a server that resides on my local network. I f I need to do that, please advise how I can.
I set it as such (it appears the default domain name is pi.hole)
The domain name suffix is for when you want to connect to local devices or local web sites, etc., by a domain name.
Since you don't seem to have that need, you don't need to worry about providing a domain name suffix.
Your firewall settings seem OK to me.
Thank you, it would not let me proceed with the DNS server address without a domain name. That's where I filled in the default name for the Pi, e.g., "pi.hole".
Here is a snapshot of my Traffic Monitor; how can I be assured that the Firebox is using the Pi as the DNS Server? It does state DNS Forwarding is being used. The pi is listed (above) as domain name "pi.hole", with the DNS address being 192.168.111.3 (in the DNS/WINS section of Interfaces). Sorry for all of the questions, and it is stated above that it looks "ok", I just want to be sure.
To see where the DNS packets are being forwarded, you need to select "Enable logging for traffic sent from this device", which will show all packets being sent by your firewall. Normally these packets are not shown in Traffic Monitor.
From the Web UI:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/logging_settings_configure_web.html
From WSM Policy Manager:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/set_diagnostic_log_level_c.html
Thank you. I will try to do what you indicate above. In my reading, it does state that when you enable DNS Forwarding that the packets are sent tot he DNS Server that is specified. It LOOKS as if it is working......I just am a confirmation kind of guy.
I can see that the queries are being forwarded to "DNS Forwarding" as part of the internal Policy....and the documentation states that queries regarding DNS are forwarded to the DNS Server specified (mine is local "pi.hole" and resides at 192.168.111.3 on my "Trusted Network) and DNS Forwarding is "listening" on Trusted, Optional and Custom Interfaces. So am I right these queries will actually go to the "pi.hole" at my local specified address?
Believe what you see in Traffic Monitor.
DNS packets are going to 192.168.111.3 from 192.168.111.1 - which is the firewall interface IP addr - showing that the forwarding is working.
Notice that for example, a DNS packet is coming from 192.168.111.14
Then the next log entry is a DNS packet is coming from 192.168.111.1 to 192.168.111.3 - thus showing the wanted forward.
OH! I also forgot to mention that on the 192.168.111.x range, in Network Interfaces, I specified 192.168.111.3 as my DNS server on that network ONLY, not on the other ranges Interface tabs.
See here:
Ooooops! Here:
So - I had a bit of an epiphany for me, and thought "Why not filter in TM just the DNS Server address and see what's up?" So I did. It appears that in addition to the wired "Trusted" range (192.168.111.x) that my Trusted "Wireless" interface is querying the DNS Server (wireless=192.168.100.x). See here:
Here is another look - I filtered TM to an IP I knew on the wireless network (192.168.100.114) and can see the Internal Policy is directing DNS to the Gateway, as expected. The documentation on line DOES STATE that the Firebox will handle AND Cache the DNS up to 10,000 entries, and/or also forward DNS queries to the server specified (in this case, of course, 192.168.111.3, my local pi.hole). What is NOT being specified in TM is if the DNS queries are indeed forwarded by the internal policy to my DNS specified. I do have logging for all events toggled on. From what everyone knows about the Firebox, is it indeed forwarding correctly?
Read my previous post.