Configure DNS
Firezone includes a sophisticated DNS routing system available on all plans that provides Split DNS and fallback resolver configuration for each Firezone Client. This guide covers how to configure it. For a detailed explanation of how Firezone routes and resolves DNS queries under the hood, see DNS resolution in the architecture docs.
The Firezone Client always embeds a lightweight resolver, which it activates when
you sign in. Once active, it listens on 100.100.111.1 (or
fd00:2021:1111:8000::100:100:111:0) and becomes the system's default DNS
server. Queries that match a Resource are routed through Firezone; all other
queries are forwarded to the resolvers you configure below, or to the Client
host's default system resolver.
Firezone only intercepts queries for the A, AAAA, PTR, SRV and TXT
record types for your DNS Resources. All other record types are forwarded to the
upstream resolver(s).
Configuring search domains
A search domain (sometimes known as a default DNS suffix) can be configured with
the domain name of your choosing in the Settings → DNS page. This domain will
automatically be appended to all single-label queries on the system when a
Client device is signed into Firezone.
On Apple devices, the search domain set in the Firezone admin portal is applied in addition to any locally-configured search domains. On Android, Linux, and Windows devices, however, these are applied instead of any locally-configured search domains. If this is causing an issue for your use case, please leave feedback on this GitHub issue.
Configuring Client DNS
Go to Settings → DNS to configure how Firezone Clients should resolve DNS.
Default system resolvers
By default, Firezone Clients will use the system resolvers, typically set by the DHCP server of their local network.
Secure DNS
Introduced in macOS 1.5.10, iOS 1.5.10, Android 1.5.7, Windows GUI 1.5.9, Windows Headless 1.5.9, and Linux Headless 1.5.9
Firezone Clients can use the DNS-over-HTTPS (DoH) protocol for all non-Firezone resources. Secure DNS encrypts all DNS traffic, preventing middleboxes (including ISPs) from seeing or manipulating DNS traffic. This is especially useful on insecure or untrusted networks.
You can choose from several trusted DoH providers:
- Google Public DNS: Google's public DNS service
- Cloudflare DNS: Cloudflare's privacy-focused DNS service
- Quad9 DNS: Security and privacy-focused DNS service
- OpenDNS: Cisco's OpenDNS service
To enable Secure DNS, go to Settings → DNS in the admin portal and select the
"Secure DNS" option, then choose your preferred DoH provider.
Custom resolvers
Upstream DNS in all Clients can be configured with the servers of your choosing so that all queries on Client devices will be forwarded to the servers you specify for all non-Firezone resources.
When setting custom upstream resolvers, it is highly recommended to configure both an IPv4 and IPv6 option. Otherwise, a Client that has only IPv4 or IPv6 connectivity may not be able to resolve DNS queries.
Queries forwarded to upstream resolvers are never routed through Firezone unless (1) you've defined custom upstream resolver(s) here, and (2) those resolvers are defined as Resources in your account. This ensures that queries for Firezone infrastructure and services on the Client's local LAN continue to be resolvable even if the Client's DHCP-provided DNS server collides with an IP or CIDR Resource in your account.
Blocking malicious DNS queries
You can use custom resolvers to block malicious or unwanted DNS queries across your workforce — preventing malware from reaching command-and-control servers and reducing phishing risk. In the Custom resolvers field above, enter the IPs of a provider that offers malware-blocking resolvers, for example:
| Provider | DNS filtering IP(s) |
|---|---|
| Cloudflare | 1.1.1.2, 1.0.0.2, 2606:4700:4700::1112, 2606:4700:4700::1002 |
| Quad9 | 9.9.9.11, 149.112.112.11, 2620:fe::11, 2620:fe::fe:11 |
| dns0.eu | 193.110.81.9, 185.253.5.9 |
| CleanBrowsing Security Filter | 185.228.168.9, 185.228.169.9, 2a0d:2a00:1::2, 2a0d:2a00:2::2 |
Each provider blocks a different set of domains, so test a few to find the best fit. Firezone only supports upstream resolvers available over UDP/53.
To verify filtering works, sign in a Client and query a known-malicious domain —
a blocked domain returns NXDOMAIN or an answer of 0.0.0.0. Cloudflare
provides malware.testcategory.com for testing its filtering resolvers:
> dig malware.testcategory.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57424
;; ANSWER SECTION:
malware.testcategory.com. 60 IN A 0.0.0.0
Configuring Gateway resolvers
Firezone makes no assumptions about the DNS environment in which the Gateway
runs. It uses the default system resolver you've configured on the Gateway host,
typically defined in /etc/resolv.conf.
This resolver is used for DNS Resources defined in your Firezone account so it's important that your Gateway host has DNS configured properly for Clients to resolve names successfully.
Need help? See all support options.