Domain Overrides

Domain overrides are found at the bottom of the DNS Resolver configuration. These entries specify an alternate DNS server to use for resolving a hosts in a specific domain.

A common use of domain overrides is to resolve internal DNS domains at remote sites using a DNS server at the main site accessible over VPN. In such environments all DNS queries are typically resolved at the central site for centralized control over DNS, however some organizations prefer to let Internet DNS resolve with a local caching resolver at each site, and only forward queries for internal domains to the central DNS server (e.g. for Split DNS).


A static route may be necessary for this to function over IPsec. See Accessing Firewall Services over IPsec for more information.

This can also be leveraged as a semi-effective means of blocking access to certain specific websites.


Do not use DNS override functionality as the only means of blocking access to sites.

Blocking via DNS requires that local clients utilize the firewall as their only DNS source. See Redirecting Client DNS Requests and Blocking External Client DNS Queries for suggestions on ensuring clients get their DNS responses from the firewall. It will stop non-technical users, but it is easy to circumvent for those with more technical aptitude.


The domain name that will be resolved using this entry.

This does not have to be a valid TLD, it can be anything (e.g. local, test, lab), or it can be an actual domain name (

IP Address

Specifies the IP Address of the DNS server to which the queries for hostnames in Domain are sent. If the target DNS server is running on a port other than 53, add the port number after the IP address with an @ separating the values, for example:

TLS Queries

Controls whether or not all queries for this domain going to this server are sent using SSL/TLS.

TLS Hostname

An optional hostname used to validate the SSL/TLS server certificate.


A text description used to identify or give more information about this entry.