VLAN/DMZ interface IP as DNS Server

Question

Hi, I've set up a new VLAN (20) bound to the LAN hardware (Port1.20) with IP 192.168.20.1, and assigned it to the DMZ zone. 
 If I run the policy checker using Firewall,SSL/TLS and web method, with the following parameters, it fails 
 URL: dns://192.168.20.1 
 Source: 192.168.20.10 
 Source Zone: DMZ 
 (although fails no matter what I use) . 
 I have: 
 
 DNS checked in Device Access for the DMZ, 
 DNS checked in Network>Zones>DMZ>Services 
 A firewall rule in the DMZ group allowing traffic from DMZ/VLAN20 IP Range to DMZ/Firewall VLAN IP (192.168.20.1), Service DNS. 
 
 I've also tried various combinations of full subnets/device groups and individual IPs in the rule but still no banana. 
 DNS queries to the firewall work fine on the LAN zone IP (10.0.0.1) from the LAN client, so the service is up. Doesn't work to the LAN from DMZ clients, as would be expected. 
 Have I missed something? Will the local firewall DNS server respond on a DMZ interface? I assumed that checking DNS in the zone config would enable that interface to respond to DNS queries. 
 TIA for any help offered

dirkkotte · Accepted Answer

Hi DCALS, 
 Sorry, misunderstanding: For access to the firewall-device (your DNS-access) you don't need an additional firewall rule... the settings under "Device access" are sufficient. For communication going through the firewall, you need a firewall rule ... of course. The policy tester is useful for traffic going through the firewall, but I think it doesn't capture services provided by the firewall device. (You can test access to Firewall:4444...since there is no firewall rule, the result would be "Blocked"...although access works)

VLAN/DMZ interface IP as DNS Server

Top Replies