Noob question - Enabled DNSWatch Enforement - DNS breaks - what am I missing?
We have two internal DNS servers (Windows) on our network, configured with forwarders pointing to Google DNS and OpenDNS servers. We have one protected interface on our WatchGuard 500. I enabled DNSWatch enforcement on the one protected interface. All of DNS requests (for external name/IP resolution) go out through the protected interface. When I enabled DNSWatch enforcement, users PCs (that point to our two internal DNS servers for name/IP resolution) no longer are able to resolve any external FQDNs to IPs. My understanding from WatchGuard docs is that once enforcement is enabled, DNSWatch will redirect the name/IP resolution requests to the nearest WatchGuard (StrongArm) DNS servers. So even if a user PC points to our internal DNS server which in turn tries to contact Google 8.8.8.8 (for example), DNSWatch will intercept and redirect the request to its (Strongarm) DNS server to either resolve, or will return the IP of the DNS sinkhole server.
I am guessing that I am missing something as DNS breaks (unable to resolve external FQDN to IP). Any suggestions appreciated. Thanks!
Answers
Best to open a support incident.
I can't think of a reason for this - unless you have select the Global option of "Enable configuration of policies for traffic generated by the Firebox" and have a DNS policy (proxy?) above the Any from Firebox policy.
I know this is an old post, but I was having a similar issue and I wonder if this was the source of your problem too. It turns out that DNSWatch is not compatible with root hints. By setting our internal DNS servers to forward to the firebox I was able to get things working smoothly.
[Forwarders on a Local DNS Server](https://www.watchguard.com/help/docs/help-center/en-US/Content/en-
DNSWatch is not compatible with root hints. On a Windows server, if you have both forwarders and root hints configured, root hints are used if forwarders do not respond. For the best results with DNSWatch, we recommend that you clear the Use root hints if no forwarders are available option on the Forwarders tab.