Configure DNS

STARTERTEAMENTERPRISE

Firezone includes a sophisticated DNS routing system available on all plans that provides Split DNS and fallback resolver configuration for each Firezone Client. Read more below to understand how it works and how to configure it.

How DNS works in Firezone

Each Firezone Client embeds a lightweight DNS proxy used to route queries to an appropriate Gateway for resolution.

When a user signs in, the Client configures the host operating system to use this proxy as the default resolver for all queries on the system.

This is why you'll commonly see 100.100.111.1 or fd00:2021:1111:8000::100:100:111:0 as the DNS server responding to DNS queries when the Firezone Client is signed in.

How queries are resolved

DNS resolution is explained in detail in the Firezone architecture docs.

When the proxy sees a DNS query for a Resource, it asks the portal for a healthy Gateway to handle the query. The Gateway resolves the query using its system resolver and sends the result back to the proxy, which generates a mapped IP to the Resource's actual IP address. The final mapped IP is then returned to the application making the query.

For example, if github.com was added as a Resource, an nslookup might return 100.96.0.1 as its IPv4 address:

> nslookup github.com
Server:  100.100.111.1
Address: 100.100.111.1#53

Non-authoritative answer:
Name:	github.com
Address: 100.96.0.1

If the query doesn't match a Resource, the proxy forwards the query to one of the upstream resolvers if configured.

Configuring Client DNS upstream resolvers

Upstream DNS in all Clients can be configured with the servers of your choosing so that all queries on Client devices will be forwarded to the servers you specify for all non-Firezone resources.

Go to Settings -> DNS and enter IPv4 and/or IPv6 servers to use as fallback resolvers. Firezone Clients will use these servers in the order they are defined for any query that doesn't match a Resource the user has access to.

Firezone Clients support only DNS over UDP/53 at this time. DNS-over-TLS and DNS-over-HTTPS upstream servers are not supported yet.

If no custom resolvers are configured, Firezone Clients will fall back to the default system resolvers, typically set by the DHCP server of their local network.

Custom resolvers such as Cloudflare or NextDNS can be used to block malware, ads, adult material and other content for all users in your Firezone account.

Configuring Gateway resolvers

Firezone makes no assumptions about the DNS environment in which the Gateway runs. It uses the default system resolver you've configured on the Gateway host.

This resolver is used for DNS Resources defined in your Firezone account so it's important that your Gateway host has DNS configured properly for Clients to resolve names successfully.

Need additional help?

Try asking on one of our community-powered support channels:

Discussion forums: Ask questions, report bugs, and suggest features.
Discord server: Join discussions, meet other users, and chat with the Firezone team
Email us: We read every message.

Or try searching the docs:

Last updated: April 16, 2024