Global DNS Best Practices

Hello. On the WatchGuard knowledgebase, it mentions that DNS best practices for global DNS is to have it pointing to an internal DNS (private) server and an external DNS (public) server for redundancy if there are internal DNS servers in place. Obviously, internal DHCP, VPN, and tunnels would be strictly internal DNS. So, my question is this. Would the set up below be best practices, and why is this the case? Is there any harm to only setting global DNS to just internal DNS, especially if your firewalls are across the country with no way to support remotely if you lose connection? What happens if both internal DNS servers go down and there is no public facing DNS server?

DNS 1 - Primary Internal DNS
DNS 2 - Secondary Internal DNS
DNS 3 - or or or (you get the picture; this is what I think of when I think of public facing DNS).

Links I am reading from: recommend that you list,from the Firebox internal networks.



  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Gakusei
    What you're suggesting is fine. I would actually suggest considering putting the second entry as the public one if you want to do it that way, as browsers, etc, will often time out before the third server is queried. (Some will query multiple at once, some will do them in order.)

    I'd also suggest having your internal DNS server using a different DNS server for forward lookups than you're considering using as the third server on the firewall.

    The pitfall to watch for is to not create a loop. Don't point your DNS server's forward lookup at the firewall, and point the firewall directly back at the local DNS server. It'll work for awhile based on what it has cached, but will eventually just start returning SERVFAIL responses.

    -James Carson
    WatchGuard Customer Support

  • Thank you @james.carson . If I may follow up, what would be the pitfalls of not having an external DNS server at all for the global DNS? Say, both internal DNS servers fail (for whatever reason, I've seen it happen before, but external DNS was configured as the third option).

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The only pitfall to not having an external populated in the global DNS list is that if you move a DNS server without updating the config or they all break, you won't be able to resolve DNS via the firewall. Items like the subscription service updates, firmware updates, and anything else that requires DNS will fail.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.