Multi-Tenant DNS Deployments

Global Management DNS Resolution
—The firewall needs DNS resolution for its own purposes, for example, the request comes from the management plane to resolve an FQDN for a management event such as a software update service. The firewall uses the service route to get to a DNS server because DNS request isn’t coming in on a specific virtual router.
Policy and Report FQDN Resolution for a Virtual System
—For DNS queries from a security policy, a report, or a service, you can specify a set of DNS servers specific to the virtual system (tenant) or you can default to the global DNS servers. If your use case requires a different set of DNS servers per virtual system, you must configure a DNS Proxy Object. The resolution is specific to the virtual system to which the DNS proxy is assigned. If you don’t have specific DNS servers applicable to this virtual system, the firewall uses the global DNS settings.
Dataplane DNS Resolution for a Virtual System
—This method is also known as a Network Request for DNS Resolution. The tenant’s virtual system can be configured so that specified domain names are resolved on the tenant’s DNS server in its network. This method supports split DNS, meaning that the tenant can also use its own ISP DNS servers for the remaining DNS queries not resolved on its own server. DNS Proxy Object rules control the split DNS; the tenant’s domain redirects DNS requests to its DNS servers, which are configured in a DNS server profile. The DNS server profile has primary and secondary DNS servers designated, and also DNS service routes for IPv4 and IPv6, which override the default DNS settings.

Use Case 1: Firewall Requires DNS Resolution
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
Use Case 3: Firewall Acts as DNS Proxy Between Client and Server