Multi-Tenant DNS Deployments
The firewall determines how to handle DNS requests based
on where the request originated. An environment where an ISP has
multiple tenants on a firewall is known as multi-tenancy. There
are three use cases for multi-tenant DNS deployments:
- Global Management DNS Resolution—The firewall needs DNS resolution for its own purposes, for example, the request comes from the management plane to resolve an FQDN for a management event such as a software update service. The firewall uses the service route to get to a DNS server because DNS request isn’t coming in on a specific virtual router.
- Policy and Report FQDN Resolution for a Virtual System—For DNS queries from a security policy, a report, or a service, you can specify a set of DNS servers specific to the virtual system (tenant) or you can default to the global DNS servers. If your use case requires a different set of DNS servers per virtual system, you must configure a DNS Proxy Object. The resolution is specific to the virtual system to which the DNS proxy is assigned. If you don’t have specific DNS servers applicable to this virtual system, the firewall uses the global DNS settings.
- Dataplane DNS Resolution for a Virtual System—This method is also known as a Network Request for DNS Resolution. The tenant’s virtual system can be configured so that specified domain names are resolved on the tenant’s DNS server in its network. This method supportssplit DNS, meaning that the tenant can also use its own ISP DNS servers for the remaining DNS queries not resolved on its own server. DNS Proxy Object rules control the split DNS; the tenant’s domain redirects DNS requests to its DNS servers, which are configured in a DNS server profile. The DNS server profile has primary and secondary DNS servers designated, and also DNS service routes for IPv4 and IPv6, which override the default DNS settings.
The following table summarizes the DNS resolution types. The
binding location determines which DNS proxy object is used for the
resolution. For illustration purposes, the use cases show how a
service provider might configure DNS settings to provide DNS services
for resolving DNS queries required on the firewall and for tenant
(subscriber) virtual systems.
Resolution Type | Location: Shared | Location: Specific
Vsys |
|---|---|---|
Firewall DNS resolution—performed by management
plane | Binding: Global Illustrated in Use
Case 1 | N/A |
Security profile, reporting, and server
profile resolution—performed by management plane | Binding: Global Same behavior as Use
Case 1 | Binding: Specific vsys Illustrated
in Use Case 2 |
DNS proxy resolution for DNS client hosts
connected to interface on firewall, going through the firewall to
a DNS Server—performed by dataplane | Binding: Interface Service
Route: Interface and IP address on which the DNS Request was received. Illustrated
in Use Case 3 | |