DNS settings are a configuration item that is set, confirmed to work, and then not discussed further. One issue that we see occurring regularly are Guest networks that have DNS settings for internal servers. This can be exploited with malicious domain inquiries on unpatched servers, which opens up your Domain Controller to attackers. DNS settings on a WatchGuard firewall can be misleading. The settings shown below are how to set the global DNS settings for each interface on your firewall:
First, log-in to your firewall via Policy Manager. Then navigate to Network->Configuration->WINS/DNS
The settings you see here are the DNS settings for the firewall and the DNS settings for each interface unless you dictate those to be different. If you’re using internal DNS servers in this section, and you have a Guest VLAN/Interface, follow the next steps to ensure you aren’t handing DNS from your internal servers to your Guest!
While within Policy Manager, navigate to Network->Configuration->Interfaces->Configure DNS/WINS Servers
If you have your Guest network on a VLAN, you would find this setting using the following path: Network->Configuration->VLAN tab->Select VLAN->Edit – This will look identical to the picture above.
As you can see here, WatchGuard does warn you about this (highlighted in blue), but only when you know to look at the interface specific DNS already. In this section you can override the global DNS settings and set other servers for your interface to look for. Ensure that you set external DNS for your Guest network so that you aren’t susceptible to malicious activity.