how to integrate WG DHCP with DNS
I have a new installation with a local subnet from a WG-T20 FW. I DHCP all of my local devices to the FW.
At the FW I listed two external DNS systems; (184.108.40.206, and 220.127.116.11).
So I can ping all local systems by name, but cannot resolve them using DNS. That means other tools that use names (Web browsers, …) cannot resolve anything by name. and of course nslookup fails (no local server).
It seems that the WG-FW does DHCP, but not any DNS.
It was explained to me that the local ping name resolution (from a windows system) was using a broadcast, not DNS.
The WG documentation says:
"Your Firebox includes DNS servers for DNS forwarding. You cannot configure the Firebox itself to function as a DNS server. Instead, you configure the Firebox to forward requests to the DNS... servers that you specify."
I do have two candidates for a local DNS server; a (Synology) NAS, and a small Linux server.
But also they describe:
"WatchGuard Fireboxes currently do not have the ability to publish their DHCP lease information to third-party servers.
"Our team is already working on this enhancement, "FBX-13554 Ability for firewall providing DHCP service to publish DNS record updates to a windows DNS server." We do not have any ETA or if it will be ready any time soon."
But from this, is it possible to have the WG do DHCP (as it does now), and also somehow sync with a local DNS server so I can access local systems by name?
The box with out question does handle DNS, albeit not as thorough as a Windows Server. In my experience, it is FAR more dependable than Synology but not as good as QNAP. The Synology interface for many of their entry SAN systems is not able to handle some of the mixtures of VLAN that I typically need, nor does the zone scrubbing work well (again, as compared to just having the WG run the task). It just feels like DNS is not Synologys strong suit (but, their other things are IMO a tad easier than QNAP).
I am curious, why do you need to resolve host names locally? I get it...but, that is really a pressing issue? If it is simply an IT guy wanting to RDP to a host as opposed to an IP, well, I would get over it.
That said, I still can not for the life of me figure out why it is that Dimension has never, not one ever worked properly to show DNS host names in the reporting...to me that is the biggest failure of DNS that WG has.
Note! I got to peeking, I hated Synology DNS...well, I guess QNAP does not do it (maybe that is why I did not hate it?).
Most customers that do this end up disabling DHCP on the firebox itself, or use DHCP relay to get the DHCP info from elsewhere.
Based on my observations, I would say that the majority of our customers end up using AD's DNS along with the DHCP role on their Windows server. That's only really a draw if you were using AD anyways.
Most of the LINUX/UNIX solutions are going to be using BIND for DNS and DHCPD for DHCP. I haven't set up either of those manually in quite some time, but there's extensive docs for both.
WatchGuard Customer Support
Thanks for the comments and input.
@TestingTester: perhaps I was too vague about "supporting DNS", What I meant is that it seems that the WG will forward DNS queries to some other DNS server, but will not respond to queries itself.
Their documentation seems to say that (previous quote), and also their customer support:
(from a support case)
“You are correct about "The WG FW will do DHCP, but will not provide any lookup for those names via DNS."
“You are correct "the WG is not resolving any local names?" a DNS server must pass the information to the firebox. If the firebox doesn't have one, It won't have any way to resolve the hostname.”
“The DNSwatch will only be able to resolve Internet requests. You still will have issues with the local resolutions. The only way to resolve this is by configuring a Local DNS server in your Network.
“DNSwath won't work to resolve your local DNS requests.
“One more time. This won't help with the local queries…
I am curious what are the problems with Synology NAS for DNS?
I do have an option of using my local Linux server – maybe that is best.
I also wondered if there were online commercial services for such DNS service – but didn’t find any.
@james.carson -thanks for the note, and insight.
I guess I can set that up, and then point the WG to that machine for DNS service.
I am surprised (and disappointed!) that the WG does DHCP so easily but not DNS. Seems like they should always go together. As you note, without a DNS service or even integration (yet) for sync with DHCP, the DHCP service is less useful as an appliance. I was hoping for a simple one-device solution.
For example; I setup a local Linux web server, and can only access it in a browser via IP – the name won’t resolve.
DNS can get rather heavy which can impact the performance of the firewall. Our compormise was to allow conditional DNS forwarding (we can forward queries to specific servers based on what the lookup actually is, specifically the suffix.)
If you're just looking to add an entry for you, and don't want to set up a full blown DNS server, the local hosts file that is kept by your OS might be a good way to add something so you can reference it by name.
WatchGuard Customer Support
However if this reference is to a DHCP system, seems like manual additions and updating would be troublesome as they can change.
I could imagine some local script that would query the DHCP lease table on the WG and sync a local windows hosts file - however one would have to install this on every windows local client.
Since it is (for me) a SOHO this would not be too hard.
Is there a remote API to get this information from the WG?
Is this a useful approach?
What surprised me is that a ping to anything local works, but other tools (& browser) don't.
So it seems like the name:IP mapping is known locally, just not as DNS.
So at least in theory, one could sync the Hosts file with whatever local source has this information - sort of a pseudo-DNS layer.
The only way to query this from the firebox would be via the CLI (you can SSH to the firewall on port 4118/TCP, credentials are the same as used in WSM or WebUI.)
The command "diagnose" will generate the status report, which shows DHCP leases among other things, you can scrape that data into whatever you like.
If you'd prefer something less lookup intensive, you could also use syslog to send the DHCP lease log lines to another server in plain text.
If you have any resolution now, it's likely due to WINS and a local workgroup. Windows makes an attempt to keep track of local machines via the local master browser PC, but that system is a bit haphazard and not the most reliable.
WatchGuard Customer Support
I would think that all of this is a FAQ - I just have a simple setup with a SOHO and some DHCP systems, and want to access them by name.
Sure seems simple to me! :-)
windows resolutions cover 90% of what I want - I'll do a manual local HOSTS entry for now, think about playing with more later.
Manual Host file...hey, do me a solid. Can you listen to "1999" from Prince when you create it? ;-P