Best Practices for DNS via WatchGuard DHCP on Windows PCs

AnthonyM

Hello everyone,

Sorry if this topic has already been discussed, but I haven't been able to find the answer to my question.

In an infrastructure with Active Directory (DNS) servers in the cloud connected via IPsec VPN to WatchGuard appliances at branch offices where there are only Windows PCs, what are WatchGuard engineers’ recommendations regarding the DNS provided to the PCs? I’ve heard that Windows does not recommend public DNS servers like 8.8.8.8, even as a secondary DNS server?

Thank you,

Bruce_Briggs

From a quick Google search on this, the AI search result include:

"Windows strongly advises against configuring domain-joined computers or servers to use public DNS servers (e.g., 8.8.8.8, 1.1.1.1) as their primary DNS, as this prevents resolution of internal Active Directory resources, leading to authentication and network failures."

"Key Reasons Against Public DNS in Windows Environments:

Active Directory Failure: Domain members must use internal Domain Controllers (DCs) for DNS to locate services. Using public DNS breaks this, causing login and network issues.
No Redundancy: Listing a public DNS as a secondary server to a primary DC is not true backup; Windows will still query the public server, causing intermittent issues."

assuming that the domain DNS server is really responding...

It will be interesting to see what the WG response is on this.
.

AnthonyM

Thanks, Bruce. That makes perfect sense, especially in the context of an off-site Active Directory. Isn't there a risk in using only the primary and secondary AD servers?

I had thought about setting up the WatchGuard as a DNS server to be pushed to the Windows PCs, and configuring forwarding on the Firebox so that requests for the AD domain are directed to the AD's DNS server.

But I’d like to hear the WatchGuard engineers’ take on this!

Bruce_Briggs

"Isn't there a risk"
If the domain DNS server(s) are not responding, then yes, as no DNS resolutions will work without another DNS server IP addr in the list - such as from your ISP or a public one.
If the domain DNS server(s) are responding but very slowly, then one may have issues getting resolutions of domain resources if an external DNS server ends up providing the DNS resolution ...

james.carson

Hi @AnthonyM

Answers here are going to vary wildly. The good news is that our devices are very flexible, so you can set DNS servers per-interface, or globally.

-For a Windows domain, it usually makes sense to define the DNS server as the Active Directory DNS server.

It's worth noting that if you're using your Windows server as the DHCP server, the client's DNS settings will usually be set to the info in the DHCP lease.

-For a guest wireless network, it can make sense to use a public DNS server for that network, especially if you do not want traffic from that guest network to ingress your trusted network. If you wish to use your internal DNS server for a guest network, you can leverage the DNS proxy to ensure that traffic is a bona fide DNS and not something else.

-For Mobile VPNs, it can make sense to define the DNS server in the VPN's options as the Active Directory DNS server if users may be using resources by name instead of IP.

Your internal AD DNS server will generally be using a defined forward lookup zone in order to find answers that it isn't authoritative for. It may also be using the root hints servers (which tend to be a bit slower than options such as Google, Cloudflare, L3's DNS.) Since your DNS server won't know the answer to anything but what it owns on the local network, lookups will go somewhere external.

You can also leverage features such as conditional DNS forwarding to forward requests for specific domains to specific internal servers. DNSWatch can also redirect all DNS-bound traffic to its servers.