Multi-Tenant DNS Deployments
Focus
Focus

Multi-Tenant DNS Deployments

Table of Contents

Multi-Tenant DNS Deployments

The firewall determines how to handle DNS requests based on where the request originated. An environment where an ISP has multiple tenants on a firewall is known as multi-tenancy. There are three use cases for multi-tenant DNS deployments:
  • Global Management DNS Resolution—The firewall needs DNS resolution for its own purposes, for example, the request comes from the management plane to resolve an FQDN for a management event such as a software update service. The firewall uses the service route to get to a DNS server because DNS request isn’t coming in on a specific virtual router.
  • Policy and Report FQDN Resolution for a Virtual System—For DNS queries from a security policy, a report, or a service, you can specify a set of DNS servers specific to the virtual system (tenant) or you can default to the global DNS servers. If your use case requires a different set of DNS servers per virtual system, you must configure a DNS Proxy Object. The resolution is specific to the virtual system to which the DNS proxy is assigned. If you don’t have specific DNS servers applicable to this virtual system, the firewall uses the global DNS settings.
  • Dataplane DNS Resolution for a Virtual System—This method is also known as a Network Request for DNS Resolution. The tenant’s virtual system can be configured so that specified domain names are resolved on the tenant’s DNS server in its network. This method supports split DNS, meaning that the tenant can also use its own ISP DNS servers for the remaining DNS queries not resolved on its own server. DNS Proxy Object rules control the split DNS; the tenant’s domain redirects DNS requests to its DNS servers, which are configured in a DNS server profile. The DNS server profile has primary and secondary DNS servers designated, and also DNS service routes for IPv4 and IPv6, which override the default DNS settings.
The following table summarizes the DNS resolution types. The binding location determines which DNS proxy object is used for the resolution. For illustration purposes, the use cases show how a service provider might configure DNS settings to provide DNS services for resolving DNS queries required on the firewall and for tenant (subscriber) virtual systems.
Resolution Type
Location: Shared
Location: Specific Vsys
Firewall DNS resolution—performed by management plane
Binding: Global
Illustrated in Use Case 1
N/A
Security profile, reporting, and server profile resolution—performed by management plane
Binding: Global
Same behavior as Use Case 1
Binding: Specific vsys
Illustrated in Use Case 2
DNS proxy resolution for DNS client hosts connected to interface on firewall, going through the firewall to a DNS Server—performed by dataplane
Binding: Interface
Service Route: Interface and IP address on which the DNS Request was received.
Illustrated in Use Case 3