Noob question - Enabled DNSWatch Enforement - DNS breaks - what am I missing?
We have two internal DNS servers (Windows) on our network, configured with forwarders pointing to Google DNS and OpenDNS servers. We have one protected interface on our WatchGuard 500. I enabled DNSWatch enforcement on the one protected interface. All of DNS requests (for external name/IP resolution) go out through the protected interface. When I enabled DNSWatch enforcement, users PCs (that point to our two internal DNS servers for name/IP resolution) no longer are able to resolve any external FQDNs to IPs. My understanding from WatchGuard docs is that once enforcement is enabled, DNSWatch will redirect the name/IP resolution requests to the nearest WatchGuard (StrongArm) DNS servers. So even if a user PC points to our internal DNS server which in turn tries to contact Google 8.8.8.8 (for example), DNSWatch will intercept and redirect the request to its (Strongarm) DNS server to either resolve, or will return the IP of the DNS sinkhole server.
I am guessing that I am missing something as DNS breaks (unable to resolve external FQDN to IP). Any suggestions appreciated. Thanks!
Answers
Best to open a support incident.
I can't think of a reason for this - unless you have select the Global option of "Enable configuration of policies for traffic generated by the Firebox" and have a DNS policy (proxy?) above the Any from Firebox policy.