Domain-specific DNS servers

The firewall can use domain-specific DNS servers to forward DNS requests to different DNS servers depending on the requested domain.

For example, the firewall can forward queries for internal domains to remote internal DNS servers, and forward other queries to a public DNS server, such as a DNS server maintained by your Internet Service Provider (ISP).

When you forward queries for external domains to public DNS servers, users get the DNS result that is geographically closest to them. Using the geographically closest IP address improves the quality of services that use DNS load balancing, such as cloud services that have regionally distributed data centers.

You define domain-specific DNS servers in DNS Relay Profile elements as pairs of domain names and DNS IP addresses in the Domain-Specific DNS Servers section of DNS Relay Profile elements.

In the Engine Editor, you specify the IP addresses that are used as source IP addresses when the firewall makes domain-specific DNS queries. If you send DNS queries through a VPN tunnel, you must select source IP addresses. In other configurations, selecting source IP addresses is optional. If you do not select a source IP address, the source IP address is automatically selected based on the route to the external DNS server.

An automatic rule allows traffic from the firewall to domain-specific DNS Servers. If you send the DNS queries through a VPN tunnel, you must disable the automatic rule.