WatchGuard Support Center

Knowledge Base - Article

000012427
 DNS in Mobile VPN Configurations (Fireware v12.2 or lower)

Information
How does DNS work for mobile VPN configurations in Fireware v12.2 or lower?

In Fireware v12.2.1 or higher, you can specify DNS-related settings in all mobile VPN configurations. For information about DNS settings for mobile VPN in Fireware v12.2.1 or higher, see DNS and Mobile VPNs in Fireware Help.

In Fireware v12.2 or lower, DNS works differently for mobile VPN configurations.

How DNS Works Across a VPN (Fireware v12.2 or lower)

When a Mobile VPN client establishes a VPN tunnel to a Firebox, the Firebox assigns a virtual IP address to the client computer.

DNS servers are assigned to clients based on the Firebox settings you specify.

Mobile VPN with IPSec, Mobile VPN with L2TP, and Mobile VPN with IKEv2

DNS server is configured in the network settings at Network > Interfaces > DNS/WINS in the Web UI or Network > Configuration > WINS/DNS in Policy Manager, the Firebox assigns the DNS server address to the VPN client. If you have a local DNS server, it must appear first in the list. This is required so that local domain resolution works for mobile VPN users.

You can also specify a domain name in the network settings. The domain name is added as a suffix to all DNS requests from VPN clients. If there is no response to the DNS request with the added suffix, the device sends a second DNS request without the suffix. For example, if a client tries to browse to hostname, and the DNS suffix is example.net, the device tries to resolve hostname.example.net. If a domain name is not specified, VPN clients must use a FQDN, such as mail.example.net, to send traffic to a resource.

For IPSec Mobile VPN clients, the Domain Name specified in the network DNS settings on the Firebox is not used as a domain name suffix. You can specify a DNS domain name suffix in the VPN client. For more information, see Configure DNS in the WatchGuard IPSec Mobile VPN client and Configure DNS in the Shrew Soft IPSec VPN client.

Mobile VPN with SSL

You must configure DNS servers in the Mobile VPN with SSL configuration. The DNS servers specified in the Firebox network settings do not apply to Mobile VPN with SSL. If you have a local DNSserver, it must appear first in the list. This is required so that local domain resolution works for mobile VPN users.

You can also specify a DNS domain name suffix in the Mobile VPN with SSL configuration. The Firebox assigns the domain name suffix to Mobile VPN with SSL users. If a domain name is not specified, VPN clients must use an FQDN, such as mail.example.net, to send traffic to a resource.

DNSWatch (Fireware v12.2 or lower)

If DNSWatch is enabled, the Firebox assigns a different set of DNS servers to mobile VPN clients.

Mobile VPN with IPSec, Mobile VPN with L2TP, and Mobile VPN with IKEv2

If you have a local DNS server, it must appear first in the Network DNS server list on the Firebox. The Firebox assigns the local DNS server and one DNSWatch DNS server to mobile VPN clients.

Mobile VPN with SSL

If you have a local DNS server, it must appear first in the Mobile VPN with SSL configuration. You must also specify one DNSWatch DNS server. The Firebox assigns the local DNS server and one DNSWatch DNS server to mobile VPN clients.

If the DNSWatch IP address changes, you must manually update the Mobile VPN with SSL settings with the new IP addresses. You can get a DNSWatch IP addresses from the DNSWatch Dashboard, which includes all regional DNSWatch IP addresses. For information about the DNSWatch Dashboard, see DNSWatch Dashboard.