Assuming the source machines are located in a different burb/zone (because if they are in the same zone you don't need to create a rule), the factor that is going to determine how you create the rule is whether the destination is directly routeable from the source.
e.g. if the source is located on the internet and you internal DNS server is located in a zone with a private address scope (192.168.x.x, 172.16.x.x or 10.x.x.x) then you will need to configure the source machine's DNS settings to use the Firewall's external IP address (or an alias on that interface) and then use the redirect host element in the rule to send the DNS traffic to the internally-hosted DNS server.
Service = DNS
Source burb/zone = external
Destination burb/zone = external
Source = address object(s)/group for the hosts allowed to use this service
Destination = address object for Firewall external IP (or alias)
Redirect host = address object for DNS server host
If the source and destination hosts are routeable then it is simply a matter of creating a rule between the applicable source/destination zones for the DNS service with appropriate source/destination address restrictions.
Hope that helps.
Under our current setup the user PC gets DNS from Internal DNS server
Then if user PC traffic needs to go to Internet here is traffic flow
PC----Switch---Internal DNS Server-------Switch----Mcafee firewall------Firewall ----Internet
I check our existing Firewall and it has Transparent DNS with Single Name server IP.
But when i check the Rule on Firewall it has Source as local host and SSH IP of firewall.
Does localhost source means all DNS traffic originating from firewall ?
This Rule has no hits.
So does this mean users who are going to Internet there DNS is not done by the firewall?
When the Firewall is configured to use transparent DNS, the IP address assigned in the DNS configuration screen is for the Firewall to use itself for resolving things such as hostname-based address objects.
Based on your traffic flow, the client PCs are located on the same zone as the DNS server host, meaning there is no Firewall intervention at that point. The DNS server will resolve (or provide answers from its cache) as and when it can. Any requests requiring an external DNS host will come about either by performing root name lookups (the default mode fo Microsoft DNS servers, I believe) or by way of a specific forwarder address configured on that DNS server.
Unless you have alternative routes to access the internet, the one conclusion we can draw from this is that if you are able to resolve internet hostnames without error and the firewall is running in transparent DNS mode then that request must be passing through the Firewall. If it isn't passing through the rule you think is should be using that would suggest there is another rule higher in the rule list which is allowing UDP port 53 traffic to pass from internal to external.
You can use the Audit Viewer filtering to display DNS traffic passing through the Firewall and by opening one of these entries you should be able to see which rule it is actually using to pass this traffic.
I checked there are few Host based Network Objects but they are not used in Access Control Policy.
I can perform DNS lookup on the host based network object.
When i filter by my PC IP i can see the logs traffic is going to Internet.
Requests for Internet is passing Via Firewall like my traffic goes via Internal to External Zone.
When i use Audit Viewer to Filter DNS traffic i did this
src_ip 192.168.50.1 and src_zone internal and (application 'DNS' )
I see no traffic at all even though i am browsing the internet.
When when i choose source and destination as any any zone
Then i see DNS traffic going from Source Zone DMZ to Destination Zone Internal.
This traffic is from some source windows server to destination DNS server.
Many thanks Phil