Skip to main content

DHCP & DNS

DTC's DNS and DHCP architecture is built around one principle: the firewall is the sole DNS and DHCP server for every device on the network. No device points directly to a domain controller, external DNS, or any other DNS server. This decouples internet uptime from server availability and centralizes all DNS visibility on the firewall.

DNS Architecture

Domain Environments (Active Directory)

ENDPOINTS (workstations, phones, printers, servers)
  DNS = Firewall gateway IP (assigned via DHCP, Auto DNS Server enabled)
       |
       | All DNS queries
       v
FIREWALL (DNSMASQ)
  - Forwards: AD domain queries -> DCs via Forward Domain rules
  - Forwards: External queries -> upstream DNS (Cloudflare or DNSFilter)
  - Provides: DNS logging and visibility
       |                          |
       | AD domain queries        | External queries
       v                          v
DOMAIN CONTROLLER              UPSTREAM DNS
(Windows DNS Server)           Cloudflare (1.1.1.1) or DNSFilter
  - AD zones only
  - Static A records for servers
  - SRV records for AD services

Key points:

  • The firewall is the ONLY DNS server for all endpoints. No exceptions.
  • Forward Domain rules on the firewall send AD domain queries to the DC. The DC resolves them from its AD-integrated zone.
  • Static DNS entries for servers go in Windows DNS Server on the DC only. The Forward Domain rule handles forwarding. The firewall does NOT need static entries for AD environments.
  • If the DC goes down, internet still works. AD-dependent name resolution fails... but that's expected because AD itself is down. Independent failure domains.

Workgroup / Cloud-Only Environments (No AD)

ENDPOINTS (workstations, phones, printers)
  DNS = Firewall gateway IP (assigned via DHCP)
       |
       | All DNS queries
       v
FIREWALL (DNSMASQ)
  - Resolves: DHCP-registered hostnames automatically
  - Resolves: Static DNS entries for non-DHCP devices
  - Forwards: External queries -> upstream DNS
  • No Forward Domain rules needed. The firewall handles everything.
  • DHCP clients auto-register with DNSMASQ via DHCP registration. As long as a Domain Name (Name Search Domain) is set in DHCP options, all DHCP devices are resolvable by hostname.
  • Static DNS entries go on the firewall for any device with a truly static IP (DNS servers, DHCP servers, gateways). Everything else should use DHCP reservations which auto-register.

Configuration Reference

ComponentDomain EnvironmentWorkgroup Environment
Endpoint DNSFirewall gateway IPFirewall gateway IP
Secondary DNSNoneNone
Forward Domain RuleAD FQDN -> DC IP(s)N/A
Static DNS EntriesWindows DNS Server on DC onlyOn the firewall
Upstream DNSCloudflare (1.1.1.1) or DNSFilterSame
DHCP DNS AssignmentFirewall gateway IP (Auto DNS Server)Same
Name Search DomainAD domain FQDN (e.g., corp.company.com)corp.company.com

Upstream DNS Policy

Cloudflare (1.1.1.1) or DNSFilter depending on the client. That is it.

  • Do NOT use Google (8.8.8.8) — no threat filtering
  • Do NOT use Quad9 (9.9.9.9)
  • Do NOT use ISP DNS
  • DNSFilter clients get DNSFilter. Everyone else gets Cloudflare.

DNS Naming and Records

AD Domain Naming

  • New standard: ad.company.com... Active Directory is an application and follows the appname.company.com naming schema
  • Legacy (still common): Industry-based names like dental.company.com, endo.company.com
  • Existing legacy domains do not need to be renamed

Static Entry Domain

Use corp.company.com for static DNS entries regardless of environment. In AD environments, these entries live in Windows DNS Server on the DC. In workgroup environments, they live on the firewall.

Record Types

TypeWhen to UseExample
Host (A)Device has a static IP and no proxyserver01.corp.company.com -> 10.0.1.10
Alias (CNAME)Service is behind a reverse proxyapp.corp.company.com -> proxy.corp.company.com
Forward DomainForward all queries for a domain to specific DNS serverscorp.company.com -> DC IPs

Rules:

  • All hostnames must be globally unique... no duplicate A or CNAME record names
  • Use CNAME records for proxied services... point to the proxy's A record so IP changes only need one update
  • Use A records for direct IP mappings

DHCP Architecture

The firewall is the sole DHCP server for all client networks.

  • Eliminates DHCP as a dependency on servers (servers can reboot/patch without killing leases)
  • Centralizes network services (firewall, DHCP, DNS... single pane of glass)
  • Simplifies server replacements and OS upgrades
  • DHCP reservations preferred over static IPs for everything except DNS servers, DHCP servers, and gateways

DHCP Options (DTC Standard)

OptionValue
Default GatewayFirewall gateway IP
DNS ServerFirewall gateway IP (Auto DNS Server enabled)
Domain Namecorp.company.com (AD FQDN or chosen domain)
Lease Time24 hours (86400 seconds)

What Gets Static IPs vs DHCP Reservations

AssignmentDevices
Static IPDNS servers (DCs), DHCP servers (firewall), Gateways
DHCP ReservationEverything else... file servers, BDR, NAS, switches, APs, printers, phones, workstations, medical devices

DHCP reservations provide the same IP stability as static configs but with centralized management and automatic DNSMASQ hostname registration (workgroup environments).

Firmware and Software Updates

Firewall devices and managed network equipment should be configured for automatic updates outside of business hours.

Update TypeScheduleTime
Device firmware (switches, APs)Daily (if available)Outside business hours (e.g. 2:00 AM)
Firewall firmwareWeeklyOutside business hours (e.g. Sunday 5:00 AM)

All schedules must be outside business hours and staggered so they do not fire at the same time. The times above are common examples... adjust per site as needed.

Back to top